From: Linus Torvalds Date: Tue, 13 Sep 2005 16:48:54 +0000 (-0700) Subject: Merge master.kernel.org:/pub/scm/linux/kernel/git/chrisw/lsm-2.6 X-Git-Tag: v2.6.16.28-rc1~3716 X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=ddbf9ef385bfbef897210733abfb73cb9b94ecec;hp=-c;p=karo-tx-linux.git Merge master.kernel.org:/pub/scm/linux/kernel/git/chrisw/lsm-2.6 --- ddbf9ef385bfbef897210733abfb73cb9b94ecec diff --combined include/linux/security.h index 55b02e1c73f4,cd3d8a9f951e..0e43460d374e --- a/include/linux/security.h +++ b/include/linux/security.h @@@ -250,37 -250,29 +250,37 @@@ struct swap_info_struct * @inode contains the inode structure. * Deallocate the inode security structure and set @inode->i_security to * NULL. + * @inode_init_security: + * Obtain the security attribute name suffix and value to set on a newly + * created inode and set up the incore security field for the new inode. + * This hook is called by the fs code as part of the inode creation + * transaction and provides for atomic labeling of the inode, unlike + * the post_create/mkdir/... hooks called by the VFS. The hook function + * is expected to allocate the name and value via kmalloc, with the caller + * being responsible for calling kfree after using them. + * If the security module does not use security attributes or does + * not wish to put a security attribute on this particular inode, + * then it should return -EOPNOTSUPP to skip this processing. + * @inode contains the inode structure of the newly created inode. + * @dir contains the inode structure of the parent directory. + * @name will be set to the allocated name suffix (e.g. selinux). + * @value will be set to the allocated attribute value. + * @len will be set to the length of the value. + * Returns 0 if @name and @value have been successfully set, + * -EOPNOTSUPP if no security attribute is needed, or + * -ENOMEM on memory allocation failure. * @inode_create: * Check permission to create a regular file. * @dir contains inode structure of the parent of the new file. * @dentry contains the dentry structure for the file to be created. * @mode contains the file mode of the file to be created. * Return 0 if permission is granted. - * @inode_post_create: - * Set the security attributes on a newly created regular file. This hook - * is called after a file has been successfully created. - * @dir contains the inode structure of the parent directory of the new file. - * @dentry contains the the dentry structure for the newly created file. - * @mode contains the file mode. * @inode_link: * Check permission before creating a new hard link to a file. * @old_dentry contains the dentry structure for an existing link to the file. * @dir contains the inode structure of the parent directory of the new link. * @new_dentry contains the dentry structure for the new link. * Return 0 if permission is granted. - * @inode_post_link: - * Set security attributes for a new hard link to a file. - * @old_dentry contains the dentry structure for the existing link. - * @dir contains the inode structure of the parent directory of the new file. - * @new_dentry contains the dentry structure for the new file link. * @inode_unlink: * Check the permission to remove a hard link to a file. * @dir contains the inode structure of parent directory of the file. @@@ -292,6 -284,13 +292,6 @@@ * @dentry contains the dentry structure of the symbolic link. * @old_name contains the pathname of file. * Return 0 if permission is granted. - * @inode_post_symlink: - * @dir contains the inode structure of the parent directory of the new link. - * @dentry contains the dentry structure of new symbolic link. - * @old_name contains the pathname of file. - * Set security attributes for a newly created symbolic link. Note that - * @dentry->d_inode may be NULL, since the filesystem might not - * instantiate the dentry (e.g. NFS). * @inode_mkdir: * Check permissions to create a new directory in the existing directory * associated with inode strcture @dir. @@@ -299,6 -298,11 +299,6 @@@ * @dentry contains the dentry structure of new directory. * @mode contains the mode of new directory. * Return 0 if permission is granted. - * @inode_post_mkdir: - * Set security attributes on a newly created directory. - * @dir contains the inode structure of parent of the directory to be created. - * @dentry contains the dentry structure of new directory. - * @mode contains the mode of new directory. * @inode_rmdir: * Check the permission to remove a directory. * @dir contains the inode structure of parent of the directory to be removed. @@@ -314,6 -318,13 +314,6 @@@ * @mode contains the mode of the new file. * @dev contains the the device number. * Return 0 if permission is granted. - * @inode_post_mknod: - * Set security attributes on a newly created special file (or socket or - * fifo file created via the mknod system call). - * @dir contains the inode structure of parent of the new node. - * @dentry contains the dentry structure of the new node. - * @mode contains the mode of the new node. - * @dev contains the the device number. * @inode_rename: * Check for permission to rename a file or directory. * @old_dir contains the inode structure for parent of the old link. @@@ -321,6 -332,12 +321,6 @@@ * @new_dir contains the inode structure for parent of the new link. * @new_dentry contains the dentry structure of the new link. * Return 0 if permission is granted. - * @inode_post_rename: - * Set security attributes on a renamed file or directory. - * @old_dir contains the inode structure for parent of the old link. - * @old_dentry contains the dentry structure of the old link. - * @new_dir contains the inode structure for parent of the new link. - * @new_dentry contains the dentry structure of the new link. * @inode_readlink: * Check the permission to read the symbolic link. * @dentry contains the dentry structure for the file link. @@@ -1063,21 -1080,34 +1063,21 @@@ struct security_operations int (*inode_alloc_security) (struct inode *inode); void (*inode_free_security) (struct inode *inode); + int (*inode_init_security) (struct inode *inode, struct inode *dir, + char **name, void **value, size_t *len); int (*inode_create) (struct inode *dir, struct dentry *dentry, int mode); - void (*inode_post_create) (struct inode *dir, - struct dentry *dentry, int mode); int (*inode_link) (struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry); - void (*inode_post_link) (struct dentry *old_dentry, - struct inode *dir, struct dentry *new_dentry); int (*inode_unlink) (struct inode *dir, struct dentry *dentry); int (*inode_symlink) (struct inode *dir, struct dentry *dentry, const char *old_name); - void (*inode_post_symlink) (struct inode *dir, - struct dentry *dentry, - const char *old_name); int (*inode_mkdir) (struct inode *dir, struct dentry *dentry, int mode); - void (*inode_post_mkdir) (struct inode *dir, struct dentry *dentry, - int mode); int (*inode_rmdir) (struct inode *dir, struct dentry *dentry); int (*inode_mknod) (struct inode *dir, struct dentry *dentry, int mode, dev_t dev); - void (*inode_post_mknod) (struct inode *dir, struct dentry *dentry, - int mode, dev_t dev); int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry, struct inode *new_dir, struct dentry *new_dentry); - void (*inode_post_rename) (struct inode *old_dir, - struct dentry *old_dentry, - struct inode *new_dir, - struct dentry *new_dentry); int (*inode_readlink) (struct dentry *dentry); int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd); int (*inode_permission) (struct inode *inode, int mask, struct nameidata *nd); @@@ -1412,17 -1442,6 +1412,17 @@@ static inline void security_inode_free return; security_ops->inode_free_security (inode); } + +static inline int security_inode_init_security (struct inode *inode, + struct inode *dir, + char **name, + void **value, + size_t *len) +{ + if (unlikely (IS_PRIVATE (inode))) + return -EOPNOTSUPP; + return security_ops->inode_init_security (inode, dir, name, value, len); +} static inline int security_inode_create (struct inode *dir, struct dentry *dentry, @@@ -1433,6 -1452,15 +1433,6 @@@ return security_ops->inode_create (dir, dentry, mode); } -static inline void security_inode_post_create (struct inode *dir, - struct dentry *dentry, - int mode) -{ - if (dentry->d_inode && unlikely (IS_PRIVATE (dentry->d_inode))) - return; - security_ops->inode_post_create (dir, dentry, mode); -} - static inline int security_inode_link (struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) @@@ -1442,6 -1470,15 +1442,6 @@@ return security_ops->inode_link (old_dentry, dir, new_dentry); } -static inline void security_inode_post_link (struct dentry *old_dentry, - struct inode *dir, - struct dentry *new_dentry) -{ - if (new_dentry->d_inode && unlikely (IS_PRIVATE (new_dentry->d_inode))) - return; - security_ops->inode_post_link (old_dentry, dir, new_dentry); -} - static inline int security_inode_unlink (struct inode *dir, struct dentry *dentry) { @@@ -1459,6 -1496,15 +1459,6 @@@ static inline int security_inode_symlin return security_ops->inode_symlink (dir, dentry, old_name); } -static inline void security_inode_post_symlink (struct inode *dir, - struct dentry *dentry, - const char *old_name) -{ - if (dentry->d_inode && unlikely (IS_PRIVATE (dentry->d_inode))) - return; - security_ops->inode_post_symlink (dir, dentry, old_name); -} - static inline int security_inode_mkdir (struct inode *dir, struct dentry *dentry, int mode) @@@ -1468,6 -1514,15 +1468,6 @@@ return security_ops->inode_mkdir (dir, dentry, mode); } -static inline void security_inode_post_mkdir (struct inode *dir, - struct dentry *dentry, - int mode) -{ - if (dentry->d_inode && unlikely (IS_PRIVATE (dentry->d_inode))) - return; - security_ops->inode_post_mkdir (dir, dentry, mode); -} - static inline int security_inode_rmdir (struct inode *dir, struct dentry *dentry) { @@@ -1485,6 -1540,15 +1485,6 @@@ static inline int security_inode_mknod return security_ops->inode_mknod (dir, dentry, mode, dev); } -static inline void security_inode_post_mknod (struct inode *dir, - struct dentry *dentry, - int mode, dev_t dev) -{ - if (dentry->d_inode && unlikely (IS_PRIVATE (dentry->d_inode))) - return; - security_ops->inode_post_mknod (dir, dentry, mode, dev); -} - static inline int security_inode_rename (struct inode *old_dir, struct dentry *old_dentry, struct inode *new_dir, @@@ -1497,6 -1561,18 +1497,6 @@@ new_dir, new_dentry); } -static inline void security_inode_post_rename (struct inode *old_dir, - struct dentry *old_dentry, - struct inode *new_dir, - struct dentry *new_dentry) -{ - if (unlikely (IS_PRIVATE (old_dentry->d_inode) || - (new_dentry->d_inode && IS_PRIVATE (new_dentry->d_inode)))) - return; - security_ops->inode_post_rename (old_dir, old_dentry, - new_dir, new_dentry); -} - static inline int security_inode_readlink (struct dentry *dentry) { if (unlikely (IS_PRIVATE (dentry->d_inode))) @@@ -1907,6 -1983,11 +1907,11 @@@ extern int register_security (struct se extern int unregister_security (struct security_operations *ops); extern int mod_reg_security (const char *name, struct security_operations *ops); extern int mod_unreg_security (const char *name, struct security_operations *ops); + extern struct dentry *securityfs_create_file(const char *name, mode_t mode, + struct dentry *parent, void *data, + struct file_operations *fops); + extern struct dentry *securityfs_create_dir(const char *name, struct dentry *parent); + extern void securityfs_remove(struct dentry *dentry); #else /* CONFIG_SECURITY */ @@@ -2095,15 -2176,6 +2100,15 @@@ static inline int security_inode_alloc static inline void security_inode_free (struct inode *inode) { } + +static inline int security_inode_init_security (struct inode *inode, + struct inode *dir, + char **name, + void **value, + size_t *len) +{ + return -EOPNOTSUPP; +} static inline int security_inode_create (struct inode *dir, struct dentry *dentry, @@@ -2112,6 -2184,11 +2117,6 @@@ return 0; } -static inline void security_inode_post_create (struct inode *dir, - struct dentry *dentry, - int mode) -{ } - static inline int security_inode_link (struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) @@@ -2119,6 -2196,11 +2124,6 @@@ return 0; } -static inline void security_inode_post_link (struct dentry *old_dentry, - struct inode *dir, - struct dentry *new_dentry) -{ } - static inline int security_inode_unlink (struct inode *dir, struct dentry *dentry) { @@@ -2132,6 -2214,11 +2137,6 @@@ static inline int security_inode_symlin return 0; } -static inline void security_inode_post_symlink (struct inode *dir, - struct dentry *dentry, - const char *old_name) -{ } - static inline int security_inode_mkdir (struct inode *dir, struct dentry *dentry, int mode) @@@ -2139,6 -2226,11 +2144,6 @@@ return 0; } -static inline void security_inode_post_mkdir (struct inode *dir, - struct dentry *dentry, - int mode) -{ } - static inline int security_inode_rmdir (struct inode *dir, struct dentry *dentry) { @@@ -2152,6 -2244,11 +2157,6 @@@ static inline int security_inode_mknod return 0; } -static inline void security_inode_post_mknod (struct inode *dir, - struct dentry *dentry, - int mode, dev_t dev) -{ } - static inline int security_inode_rename (struct inode *old_dir, struct dentry *old_dentry, struct inode *new_dir, @@@ -2160,6 -2257,12 +2165,6 @@@ return 0; } -static inline void security_inode_post_rename (struct inode *old_dir, - struct dentry *old_dentry, - struct inode *new_dir, - struct dentry *new_dentry) -{ } - static inline int security_inode_readlink (struct dentry *dentry) { return 0; @@@ -2629,8 -2732,7 +2634,8 @@@ static inline int security_socket_getpe return security_ops->socket_getpeersec(sock, optval, optlen, len); } -static inline int security_sk_alloc(struct sock *sk, int family, int priority) +static inline int security_sk_alloc(struct sock *sk, int family, + unsigned int __nocast priority) { return security_ops->sk_alloc_security(sk, family, priority); } @@@ -2747,8 -2849,7 +2752,8 @@@ static inline int security_socket_getpe return -ENOPROTOOPT; } -static inline int security_sk_alloc(struct sock *sk, int family, int priority) +static inline int security_sk_alloc(struct sock *sk, int family, + unsigned int __nocast priority) { return 0; } diff --combined security/seclvl.c index 96b1f2122f67,f8700e935b33..dc4e17b6eaf6 --- a/security/seclvl.c +++ b/security/seclvl.c @@@ -118,69 -118,6 +118,6 @@@ MODULE_PARM_DESC(hideHash, "When set t } \ } while (0) - /** - * kobject stuff - */ - - struct subsystem seclvl_subsys; - - struct seclvl_obj { - char *name; - struct list_head slot_list; - struct kobject kobj; - }; - - /** - * There is a seclvl_attribute struct for each file in sysfs. - * - * In our case, we have one of these structs for "passwd" and another - * for "seclvl". - */ - struct seclvl_attribute { - struct attribute attr; - ssize_t(*show) (struct seclvl_obj *, char *); - ssize_t(*store) (struct seclvl_obj *, const char *, size_t); - }; - - /** - * When this function is called, one of the files in sysfs is being - * written to. attribute->store is a function pointer to whatever the - * struct seclvl_attribute store function pointer points to. It is - * unique for "passwd" and "seclvl". - */ - static ssize_t - seclvl_attr_store(struct kobject *kobj, - struct attribute *attr, const char *buf, size_t len) - { - struct seclvl_obj *obj = container_of(kobj, struct seclvl_obj, kobj); - struct seclvl_attribute *attribute = - container_of(attr, struct seclvl_attribute, attr); - return attribute->store ? attribute->store(obj, buf, len) : -EIO; - } - - static ssize_t - seclvl_attr_show(struct kobject *kobj, struct attribute *attr, char *buf) - { - struct seclvl_obj *obj = container_of(kobj, struct seclvl_obj, kobj); - struct seclvl_attribute *attribute = - container_of(attr, struct seclvl_attribute, attr); - return attribute->show ? attribute->show(obj, buf) : -EIO; - } - - /** - * Callback function pointers for show and store - */ - static struct sysfs_ops seclvlfs_sysfs_ops = { - .show = seclvl_attr_show, - .store = seclvl_attr_store, - }; - - static struct kobj_type seclvl_ktype = { - .sysfs_ops = &seclvlfs_sysfs_ops - }; - - decl_subsys(seclvl, &seclvl_ktype, NULL); - /** * The actual security level. Ranges between -1 and 2 inclusive. */ @@@ -212,97 -149,44 +149,44 @@@ static int seclvl_sanity(int reqlvl return 0; } - /** - * Called whenever the user reads the sysfs handle to this kernel - * object - */ - static ssize_t seclvl_read_file(struct seclvl_obj *obj, char *buff) - { - return snprintf(buff, PAGE_SIZE, "%d\n", seclvl); - } - /** * security level advancement rules: * Valid levels are -1 through 2, inclusive. * From -1, stuck. [ in case compiled into kernel ] * From 0 or above, can only increment. */ - static int do_seclvl_advance(int newlvl) + static void do_seclvl_advance(void *data, u64 val) { - if (newlvl <= seclvl) { - seclvl_printk(1, KERN_WARNING, "Cannot advance to seclvl " - "[%d]\n", newlvl); - return -EINVAL; - } + int ret; + int newlvl = (int)val; + + ret = seclvl_sanity(newlvl); + if (ret) + return; + if (newlvl > 2) { seclvl_printk(1, KERN_WARNING, "Cannot advance to seclvl " "[%d]\n", newlvl); - return -EINVAL; + return; } if (seclvl == -1) { seclvl_printk(1, KERN_WARNING, "Not allowed to advance to " "seclvl [%d]\n", seclvl); - return -EPERM; + return; } - seclvl = newlvl; - return 0; + seclvl = newlvl; /* would it be more "correct" to set *data? */ + return; } - /** - * Called whenever the user writes to the sysfs handle to this kernel - * object (seclvl/seclvl). It expects a single-digit number. - */ - static ssize_t - seclvl_write_file(struct seclvl_obj *obj, const char *buff, size_t count) + static u64 seclvl_int_get(void *data) { - unsigned long val; - if (count > 2 || (count == 2 && buff[1] != '\n')) { - seclvl_printk(1, KERN_WARNING, "Invalid value passed to " - "seclvl: [%s]\n", buff); - return -EINVAL; - } - val = buff[0] - 48; - if (seclvl_sanity(val)) { - seclvl_printk(1, KERN_WARNING, "Illegal secure level " - "requested: [%d]\n", (int)val); - return -EPERM; - } - if (do_seclvl_advance(val)) { - seclvl_printk(0, KERN_ERR, "Failure advancing security level " - "to %lu\n", val); - } - return count; + return *(int *)data; } - /* Generate sysfs_attr_seclvl */ - static struct seclvl_attribute sysfs_attr_seclvl = - __ATTR(seclvl, (S_IFREG | S_IRUGO | S_IWUSR), seclvl_read_file, - seclvl_write_file); + DEFINE_SIMPLE_ATTRIBUTE(seclvl_file_ops, seclvl_int_get, do_seclvl_advance, "%lld\n"); static unsigned char hashedPassword[SHA1_DIGEST_SIZE]; - /** - * Called whenever the user reads the sysfs passwd handle. - */ - static ssize_t seclvl_read_passwd(struct seclvl_obj *obj, char *buff) - { - /* So just how good *is* your password? :-) */ - char tmp[3]; - int i = 0; - buff[0] = '\0'; - if (hideHash) { - /* Security through obscurity */ - return 0; - } - while (i < SHA1_DIGEST_SIZE) { - snprintf(tmp, 3, "%02x", hashedPassword[i]); - strncat(buff, tmp, 2); - i++; - } - strcat(buff, "\n"); - return ((SHA1_DIGEST_SIZE * 2) + 1); - } - /** * Converts a block of plaintext of into its SHA1 hashed value. * @@@ -321,7 -205,7 +205,7 @@@ plaintext_to_sha1(unsigned char *hash, "bytes.\n", len, PAGE_SIZE); return -ENOMEM; } - tfm = crypto_alloc_tfm("sha1", 0); + tfm = crypto_alloc_tfm("sha1", CRYPTO_TFM_REQ_MAY_SLEEP); if (tfm == NULL) { seclvl_printk(0, KERN_ERR, "Failed to load transform for SHA1\n"); @@@ -347,12 -231,15 +231,15 @@@ * object. It hashes the password and compares the hashed results. */ static ssize_t - seclvl_write_passwd(struct seclvl_obj *obj, const char *buff, size_t count) + passwd_write_file(struct file * file, const char __user * buf, + size_t count, loff_t *ppos) { int i; unsigned char tmp[SHA1_DIGEST_SIZE]; + char *page; int rc; int len; + if (!*passwd && !*sha1_passwd) { seclvl_printk(0, KERN_ERR, "Attempt to password-unlock the " "seclvl module, but neither a plain text " @@@ -363,13 -250,26 +250,26 @@@ "maintainer about this event.\n"); return -EINVAL; } - len = strlen(buff); + + if (count < 0 || count >= PAGE_SIZE) + return -ENOMEM; + if (*ppos != 0) { + return -EINVAL; + } + page = (char *)get_zeroed_page(GFP_KERNEL); + if (!page) + return -ENOMEM; + len = -EFAULT; + if (copy_from_user(page, buf, count)) + goto out; + + len = strlen(page); /* ``echo "secret" > seclvl/passwd'' includes a newline */ - if (buff[len - 1] == '\n') { + if (page[len - 1] == '\n') { len--; } /* Hash the password, then compare the hashed values */ - if ((rc = plaintext_to_sha1(tmp, buff, len))) { + if ((rc = plaintext_to_sha1(tmp, page, len))) { seclvl_printk(0, KERN_ERR, "Error hashing password: rc = " "[%d]\n", rc); return rc; @@@ -382,13 -282,16 +282,16 @@@ seclvl_printk(0, KERN_INFO, "Password accepted; seclvl reduced to 0.\n"); seclvl = 0; - return count; + len = count; + + out: + free_page((unsigned long)page); + return len; } - /* Generate sysfs_attr_passwd */ - static struct seclvl_attribute sysfs_attr_passwd = - __ATTR(passwd, (S_IFREG | S_IRUGO | S_IWUSR), seclvl_read_passwd, - seclvl_write_passwd); + static struct file_operations passwd_file_ops = { + .write = passwd_write_file, + }; /** * Explicitely disallow ptrace'ing the init process. @@@ -647,22 -550,34 +550,34 @@@ static int processPassword(void } /** - * Sysfs registrations + * securityfs registrations */ - static int doSysfsRegistrations(void) + struct dentry *dir_ino, *seclvl_ino, *passwd_ino; + + static int seclvlfs_register(void) { - int rc = 0; - if ((rc = subsystem_register(&seclvl_subsys))) { - seclvl_printk(0, KERN_WARNING, - "Error [%d] registering seclvl subsystem\n", rc); - return rc; - } - sysfs_create_file(&seclvl_subsys.kset.kobj, &sysfs_attr_seclvl.attr); + dir_ino = securityfs_create_dir("seclvl", NULL); + if (!dir_ino) + return -EFAULT; + + seclvl_ino = securityfs_create_file("seclvl", S_IRUGO | S_IWUSR, + dir_ino, &seclvl, &seclvl_file_ops); + if (!seclvl_ino) + goto out_deldir; if (*passwd || *sha1_passwd) { - sysfs_create_file(&seclvl_subsys.kset.kobj, - &sysfs_attr_passwd.attr); + passwd_ino = securityfs_create_file("passwd", S_IRUGO | S_IWUSR, + dir_ino, NULL, &passwd_file_ops); + if (!passwd_ino) + goto out_delf; } return 0; + + out_deldir: + securityfs_remove(dir_ino); + out_delf: + securityfs_remove(seclvl_ino); + + return -EFAULT; } /** @@@ -677,8 -592,6 +592,6 @@@ static int __init seclvl_init(void rc = -EINVAL; goto exit; } - sysfs_attr_seclvl.attr.owner = THIS_MODULE; - sysfs_attr_passwd.attr.owner = THIS_MODULE; if (initlvl < -1 || initlvl > 2) { seclvl_printk(0, KERN_ERR, "Error: bad initial securelevel " "[%d].\n", initlvl); @@@ -706,7 -619,7 +619,7 @@@ } /* if primary module registered */ secondary = 1; } /* if we registered ourselves with the security framework */ - if ((rc = doSysfsRegistrations())) { + if ((rc = seclvlfs_register())) { seclvl_printk(0, KERN_ERR, "Error registering with sysfs\n"); goto exit; } @@@ -724,12 -637,11 +637,11 @@@ */ static void __exit seclvl_exit(void) { - sysfs_remove_file(&seclvl_subsys.kset.kobj, &sysfs_attr_seclvl.attr); + securityfs_remove(seclvl_ino); if (*passwd || *sha1_passwd) { - sysfs_remove_file(&seclvl_subsys.kset.kobj, - &sysfs_attr_passwd.attr); + securityfs_remove(passwd_ino); } - subsystem_unregister(&seclvl_subsys); + securityfs_remove(dir_ino); if (secondary == 1) { mod_unreg_security(MY_NAME, &seclvl_ops); } else if (unregister_security(&seclvl_ops)) {