security/seclvl.c

   1 /**
   2  * BSD Secure Levels LSM
   3  *
   4  * Maintainers:
   5  *      Michael A. Halcrow <mike@halcrow.us>
   6  *      Serge Hallyn <hallyn@cs.wm.edu>
   7  *
   8  * Copyright (c) 2001 WireX Communications, Inc <chris@wirex.com>
   9  * Copyright (c) 2001 Greg Kroah-Hartman <greg@kroah.com>
  10  * Copyright (c) 2002 International Business Machines <robb@austin.ibm.com>
  11  *
  12  *      This program is free software; you can redistribute it and/or modify
  13  *      it under the terms of the GNU General Public License as published by
  14  *      the Free Software Foundation; either version 2 of the License, or
  15  *      (at your option) any later version.
  16  */
  17
  18 #include <linux/config.h>
  19 #include <linux/module.h>
  20 #include <linux/moduleparam.h>
  21 #include <linux/kernel.h>
  22 #include <linux/init.h>
  23 #include <linux/security.h>
  24 #include <linux/netlink.h>
  25 #include <linux/fs.h>
  26 #include <linux/namei.h>
  27 #include <linux/mount.h>
  28 #include <linux/capability.h>
  29 #include <linux/time.h>
  30 #include <linux/proc_fs.h>
  31 #include <linux/kobject.h>
  32 #include <linux/crypto.h>
  33 #include <asm/scatterlist.h>
  34 #include <linux/gfp.h>
  35 #include <linux/sysfs.h>
  36
  37 #define SHA1_DIGEST_SIZE 20
  38
  39 /**
  40  * Module parameter that defines the initial secure level.
  41  *
  42  * When built as a module, it defaults to seclvl 1, which is the
  43  * behavior of BSD secure levels.  Note that this default behavior
  44  * wrecks havoc on a machine when the seclvl module is compiled into
  45  * the kernel.  In that case, we default to seclvl 0.
  46  */
  47 #ifdef CONFIG_SECURITY_SECLVL_MODULE
  48 static int initlvl = 1;
  49 #else
  50 static int initlvl;
  51 #endif
  52 module_param(initlvl, int, 0);
  53 MODULE_PARM_DESC(initlvl, "Initial secure level (defaults to 1)");
  54
  55 /* Module parameter that defines the verbosity level */
  56 static int verbosity;
  57 module_param(verbosity, int, 0);
  58 MODULE_PARM_DESC(verbosity, "Initial verbosity level (0 or 1; defaults to "
  59                  "0, which is Quiet)");
  60
  61 /**
  62  * Optional password which can be passed in to bring seclvl to 0
  63  * (i.e., for halt/reboot).  Defaults to NULL (the passwd attribute
  64  * file will not be registered in sysfs).
  65  *
  66  * This gets converted to its SHA1 hash when stored.  It's probably
  67  * not a good idea to use this parameter when loading seclvl from a
  68  * script; use sha1_passwd instead.
  69  */
  70
  71 #define MAX_PASSWD_SIZE 32
  72 static char passwd[MAX_PASSWD_SIZE];
  73 module_param_string(passwd, passwd, sizeof(passwd), 0);
  74 MODULE_PARM_DESC(passwd,
  75                  "Plaintext of password that sets seclvl=0 when written to "
  76                  "(sysfs mount point)/seclvl/passwd\n");
  77
  78 /**
  79  * SHA1 hashed version of the optional password which can be passed in
  80  * to bring seclvl to 0 (i.e., for halt/reboot).  Must be in
  81  * hexadecimal format (40 characters).  Defaults to NULL (the passwd
  82  * attribute file will not be registered in sysfs).
  83  *
  84  * Use the sha1sum utility to generate the SHA1 hash of a password:
  85  *
  86  * echo -n "secret" | sha1sum
  87  */
  88 #define MAX_SHA1_PASSWD 41
  89 static char sha1_passwd[MAX_SHA1_PASSWD];
  90 module_param_string(sha1_passwd, sha1_passwd, sizeof(sha1_passwd), 0);
  91 MODULE_PARM_DESC(sha1_passwd,
  92                  "SHA1 hash (40 hexadecimal characters) of password that "
  93                  "sets seclvl=0 when plaintext password is written to "
  94                  "(sysfs mount point)/seclvl/passwd\n");
  95
  96 static int hideHash = 1;
  97 module_param(hideHash, int, 0);
  98 MODULE_PARM_DESC(hideHash, "When set to 0, reading seclvl/passwd from sysfs "
  99                  "will return the SHA1-hashed value of the password that "
 100                  "lowers the secure level to 0.\n");
 101
 102 #define MY_NAME "seclvl"
 103
 104 /**
 105  * This time-limits log writes to one per second.
 106  */
 107 #define seclvl_printk(verb, type, fmt, arg...)                  \
 108         do {                                                    \
 109                 if (verbosity >= verb) {                        \
 110                         static unsigned long _prior;            \
 111                         unsigned long _now = jiffies;           \
 112                         if ((_now - _prior) > HZ) {             \
 113                                 printk(type "%s: %s: " fmt,     \
 114                                         MY_NAME, __FUNCTION__ , \
 115                                         ## arg);                \
 116                                 _prior = _now;                  \
 117                         }                                       \
 118                 }                                               \
 119         } while (0)
 120
 121 /**
 122  * The actual security level.  Ranges between -1 and 2 inclusive.
 123  */
 124 static int seclvl;
 125
 126 /**
 127  * flag to keep track of how we were registered
 128  */
 129 static int secondary;
 130
 131 /**
 132  * Verifies that the requested secure level is valid, given the current
 133  * secure level.
 134  */
 135 static int seclvl_sanity(int reqlvl)
 136 {
 137         if ((reqlvl < -1) || (reqlvl > 2)) {
 138                 seclvl_printk(1, KERN_WARNING, "Attempt to set seclvl out of "
 139                               "range: [%d]\n", reqlvl);
 140                 return -EINVAL;
 141         }
 142         if ((seclvl == 0) && (reqlvl == -1))
 143                 return 0;
 144         if (reqlvl < seclvl) {
 145                 seclvl_printk(1, KERN_WARNING, "Attempt to lower seclvl to "
 146                               "[%d]\n", reqlvl);
 147                 return -EPERM;
 148         }
 149         return 0;
 150 }
 151
 152 /**
 153  * security level advancement rules:
 154  *   Valid levels are -1 through 2, inclusive.
 155  *   From -1, stuck.  [ in case compiled into kernel ]
 156  *   From 0 or above, can only increment.
 157  */
 158 static void do_seclvl_advance(void *data, u64 val)
 159 {
 160         int ret;
 161         int newlvl = (int)val;
 162
 163         ret = seclvl_sanity(newlvl);
 164         if (ret)
 165                 return;
 166
 167         if (newlvl > 2) {
 168                 seclvl_printk(1, KERN_WARNING, "Cannot advance to seclvl "
 169                               "[%d]\n", newlvl);
 170                 return;
 171         }
 172         if (seclvl == -1) {
 173                 seclvl_printk(1, KERN_WARNING, "Not allowed to advance to "
 174                               "seclvl [%d]\n", seclvl);
 175                 return;
 176         }
 177         seclvl = newlvl;  /* would it be more "correct" to set *data? */
 178         return;
 179 }
 180
 181 static u64 seclvl_int_get(void *data)
 182 {
 183         return *(int *)data;
 184 }
 185
 186 DEFINE_SIMPLE_ATTRIBUTE(seclvl_file_ops, seclvl_int_get, do_seclvl_advance, "%lld\n");
 187
 188 static unsigned char hashedPassword[SHA1_DIGEST_SIZE];
 189
 190 /**
 191  * Converts a block of plaintext of into its SHA1 hashed value.
 192  *
 193  * It would be nice if crypto had a wrapper to do this for us linear
 194  * people...
 195  */
 196 static int
 197 plaintext_to_sha1(unsigned char *hash, const char *plaintext, int len)
 198 {
 199         char *pgVirtAddr;
 200         struct crypto_tfm *tfm;
 201         struct scatterlist sg[1];
 202         if (len > PAGE_SIZE) {
 203                 seclvl_printk(0, KERN_ERR, "Plaintext password too large (%d "
 204                               "characters).  Largest possible is %lu "
 205                               "bytes.\n", len, PAGE_SIZE);
 206                 return -ENOMEM;
 207         }
 208         tfm = crypto_alloc_tfm("sha1", CRYPTO_TFM_REQ_MAY_SLEEP);
 209         if (tfm == NULL) {
 210                 seclvl_printk(0, KERN_ERR,
 211                               "Failed to load transform for SHA1\n");
 212                 return -ENOSYS;
 213         }
 214         // Just get a new page; don't play around with page boundaries
 215         // and scatterlists.
 216         pgVirtAddr = (char *)__get_free_page(GFP_KERNEL);
 217         sg[0].page = virt_to_page(pgVirtAddr);
 218         sg[0].offset = 0;
 219         sg[0].length = len;
 220         strncpy(pgVirtAddr, plaintext, len);
 221         crypto_digest_init(tfm);
 222         crypto_digest_update(tfm, sg, 1);
 223         crypto_digest_final(tfm, hash);
 224         crypto_free_tfm(tfm);
 225         free_page((unsigned long)pgVirtAddr);
 226         return 0;
 227 }
 228
 229 /**
 230  * Called whenever the user writes to the sysfs passwd handle to this kernel
 231  * object.  It hashes the password and compares the hashed results.
 232  */
 233 static ssize_t
 234 passwd_write_file(struct file * file, const char __user * buf,
 235                                 size_t count, loff_t *ppos)
 236 {
 237         int i;
 238         unsigned char tmp[SHA1_DIGEST_SIZE];
 239         char *page;
 240         int rc;
 241         int len;
 242
 243         if (!*passwd && !*sha1_passwd) {
 244                 seclvl_printk(0, KERN_ERR, "Attempt to password-unlock the "
 245                               "seclvl module, but neither a plain text "
 246                               "password nor a SHA1 hashed password was "
 247                               "passed in as a module parameter!  This is a "
 248                               "bug, since it should not be possible to be in "
 249                               "this part of the module; please tell a "
 250                               "maintainer about this event.\n");
 251                 return -EINVAL;
 252         }
 253
 254         if (count < 0 || count >= PAGE_SIZE)
 255                 return -EINVAL;
 256         if (*ppos != 0)
 257                 return -EINVAL;
 258         page = (char *)get_zeroed_page(GFP_KERNEL);
 259         if (!page)
 260                 return -ENOMEM;
 261         len = -EFAULT;
 262         if (copy_from_user(page, buf, count))
 263                 goto out;
 264
 265         len = strlen(page);
 266         /* ``echo "secret" > seclvl/passwd'' includes a newline */
 267         if (page[len - 1] == '\n')
 268                 len--;
 269         /* Hash the password, then compare the hashed values */
 270         if ((rc = plaintext_to_sha1(tmp, page, len))) {
 271                 seclvl_printk(0, KERN_ERR, "Error hashing password: rc = "
 272                               "[%d]\n", rc);
 273                 return rc;
 274         }
 275         for (i = 0; i < SHA1_DIGEST_SIZE; i++) {
 276                 if (hashedPassword[i] != tmp[i])
 277                         return -EPERM;
 278         }
 279         seclvl_printk(0, KERN_INFO,
 280                       "Password accepted; seclvl reduced to 0.\n");
 281         seclvl = 0;
 282         len = count;
 283
 284 out:
 285         free_page((unsigned long)page);
 286         return len;
 287 }
 288
 289 static struct file_operations passwd_file_ops = {
 290         .write = passwd_write_file,
 291 };
 292
 293 /**
 294  * Explicitely disallow ptrace'ing the init process.
 295  */
 296 static int seclvl_ptrace(struct task_struct *parent, struct task_struct *child)
 297 {
 298         if (seclvl >= 0) {
 299                 if (child->pid == 1) {
 300                         seclvl_printk(1, KERN_WARNING, "Attempt to ptrace "
 301                                       "the init process dissallowed in "
 302                                       "secure level %d\n", seclvl);
 303                         return -EPERM;
 304                 }
 305         }
 306         return 0;
 307 }
 308
 309 /**
 310  * Capability checks for seclvl.  The majority of the policy
 311  * enforcement for seclvl takes place here.
 312  */
 313 static int seclvl_capable(struct task_struct *tsk, int cap)
 314 {
 315         /* init can do anything it wants */
 316         if (tsk->pid == 1)
 317                 return 0;
 318
 319         switch (seclvl) {
 320         case 2:
 321                 /* fall through */
 322         case 1:
 323                 if (cap == CAP_LINUX_IMMUTABLE) {
 324                         seclvl_printk(1, KERN_WARNING, "Attempt to modify "
 325                                       "the IMMUTABLE and/or APPEND extended "
 326                                       "attribute on a file with the IMMUTABLE "
 327                                       "and/or APPEND extended attribute set "
 328                                       "denied in seclvl [%d]\n", seclvl);
 329                         return -EPERM;
 330                 } else if (cap == CAP_SYS_RAWIO) {      // Somewhat broad...
 331                         seclvl_printk(1, KERN_WARNING, "Attempt to perform "
 332                                       "raw I/O while in secure level [%d] "
 333                                       "denied\n", seclvl);
 334                         return -EPERM;
 335                 } else if (cap == CAP_NET_ADMIN) {
 336                         seclvl_printk(1, KERN_WARNING, "Attempt to perform "
 337                                       "network administrative task while "
 338                                       "in secure level [%d] denied\n", seclvl);
 339                         return -EPERM;
 340                 } else if (cap == CAP_SETUID) {
 341                         seclvl_printk(1, KERN_WARNING, "Attempt to setuid "
 342                                       "while in secure level [%d] denied\n",
 343                                       seclvl);
 344                         return -EPERM;
 345                 } else if (cap == CAP_SETGID) {
 346                         seclvl_printk(1, KERN_WARNING, "Attempt to setgid "
 347                                       "while in secure level [%d] denied\n",
 348                                       seclvl);
 349                 } else if (cap == CAP_SYS_MODULE) {
 350                         seclvl_printk(1, KERN_WARNING, "Attempt to perform "
 351                                       "a module operation while in secure "
 352                                       "level [%d] denied\n", seclvl);
 353                         return -EPERM;
 354                 }
 355                 break;
 356         default:
 357                 break;
 358         }
 359         /* from dummy.c */
 360         if (cap_is_fs_cap(cap) ? tsk->fsuid == 0 : tsk->euid == 0)
 361                 return 0;       /* capability granted */
 362         seclvl_printk(1, KERN_WARNING, "Capability denied\n");
 363         return -EPERM;          /* capability denied */
 364 }
 365
 366 /**
 367  * Disallow reversing the clock in seclvl > 1
 368  */
 369 static int seclvl_settime(struct timespec *tv, struct timezone *tz)
 370 {
 371         if (tv && seclvl > 1) {
 372                 struct timespec now;
 373                 now = current_kernel_time();
 374                 if (tv->tv_sec < now.tv_sec ||
 375                     (tv->tv_sec == now.tv_sec && tv->tv_nsec < now.tv_nsec)) {
 376                         seclvl_printk(1, KERN_WARNING, "Attempt to decrement "
 377                                       "time in secure level %d denied: "
 378                                       "current->pid = [%d], "
 379                                       "current->group_leader->pid = [%d]\n",
 380                                       seclvl, current->pid,
 381                                       current->group_leader->pid);
 382                         return -EPERM;
 383                 }               /* if attempt to decrement time */
 384         }                       /* if seclvl > 1 */
 385         return 0;
 386 }
 387
 388 /* claim the blockdev to exclude mounters, release on file close */
 389 static int seclvl_bd_claim(struct inode *inode)
 390 {
 391         int holder;
 392         struct block_device *bdev = NULL;
 393         dev_t dev = inode->i_rdev;
 394         bdev = open_by_devnum(dev, FMODE_WRITE);
 395         if (bdev) {
 396                 if (bd_claim(bdev, &holder)) {
 397                         blkdev_put(bdev);
 398                         return -EPERM;
 399                 }
 400                 /* claimed, mark it to release on close */
 401                 inode->i_security = current;
 402         }
 403         return 0;
 404 }
 405
 406 /* release the blockdev if you claimed it */
 407 static void seclvl_bd_release(struct inode *inode)
 408 {
 409         if (inode && S_ISBLK(inode->i_mode) && inode->i_security == current) {
 410                 struct block_device *bdev = inode->i_bdev;
 411                 if (bdev) {
 412                         bd_release(bdev);
 413                         blkdev_put(bdev);
 414                         inode->i_security = NULL;
 415                 }
 416         }
 417 }
 418
 419 /**
 420  * Security for writes to block devices is regulated by this seclvl
 421  * function.  Deny all writes to block devices in seclvl 2.  In
 422  * seclvl 1, we only deny writes to *mounted* block devices.
 423  */
 424 static int
 425 seclvl_inode_permission(struct inode *inode, int mask, struct nameidata *nd)
 426 {
 427         if (current->pid != 1 && S_ISBLK(inode->i_mode) && (mask & MAY_WRITE)) {
 428                 switch (seclvl) {
 429                 case 2:
 430                         seclvl_printk(1, KERN_WARNING, "Write to block device "
 431                                       "denied in secure level [%d]\n", seclvl);
 432                         return -EPERM;
 433                 case 1:
 434                         if (seclvl_bd_claim(inode)) {
 435                                 seclvl_printk(1, KERN_WARNING,
 436                                               "Write to mounted block device "
 437                                               "denied in secure level [%d]\n",
 438                                               seclvl);
 439                                 return -EPERM;
 440                         }
 441                 }
 442         }
 443         return 0;
 444 }
 445
 446 /**
 447  * The SUID and SGID bits cannot be set in seclvl >= 1
 448  */
 449 static int seclvl_inode_setattr(struct dentry *dentry, struct iattr *iattr)
 450 {
 451         if (seclvl > 0) {
 452                 if (iattr->ia_valid & ATTR_MODE)
 453                         if (iattr->ia_mode & S_ISUID ||
 454                             iattr->ia_mode & S_ISGID) {
 455                                 seclvl_printk(1, KERN_WARNING, "Attempt to "
 456                                               "modify SUID or SGID bit "
 457                                               "denied in seclvl [%d]\n",
 458                                               seclvl);
 459                                 return -EPERM;
 460                         }
 461         }
 462         return 0;
 463 }
 464
 465 /* release busied block devices */
 466 static void seclvl_file_free_security(struct file *filp)
 467 {
 468         struct dentry *dentry = filp->f_dentry;
 469         struct inode *inode = NULL;
 470
 471         if (dentry) {
 472                 inode = dentry->d_inode;
 473                 seclvl_bd_release(inode);
 474         }
 475 }
 476
 477 /**
 478  * Cannot unmount in secure level 2
 479  */
 480 static int seclvl_umount(struct vfsmount *mnt, int flags)
 481 {
 482         if (current->pid == 1)
 483                 return 0;
 484         if (seclvl == 2) {
 485                 seclvl_printk(1, KERN_WARNING, "Attempt to unmount in secure "
 486                               "level %d\n", seclvl);
 487                 return -EPERM;
 488         }
 489         return 0;
 490 }
 491
 492 static struct security_operations seclvl_ops = {
 493         .ptrace = seclvl_ptrace,
 494         .capable = seclvl_capable,
 495         .inode_permission = seclvl_inode_permission,
 496         .inode_setattr = seclvl_inode_setattr,
 497         .file_free_security = seclvl_file_free_security,
 498         .settime = seclvl_settime,
 499         .sb_umount = seclvl_umount,
 500 };
 501
 502 /**
 503  * Process the password-related module parameters
 504  */
 505 static int processPassword(void)
 506 {
 507         int rc = 0;
 508         hashedPassword[0] = '\0';
 509         if (*passwd) {
 510                 if (*sha1_passwd) {
 511                         seclvl_printk(0, KERN_ERR, "Error: Both "
 512                                       "passwd and sha1_passwd "
 513                                       "were set, but they are mutually "
 514                                       "exclusive.\n");
 515                         return -EINVAL;
 516                 }
 517                 if ((rc = plaintext_to_sha1(hashedPassword, passwd,
 518                                             strlen(passwd)))) {
 519                         seclvl_printk(0, KERN_ERR, "Error: SHA1 support not "
 520                                       "in kernel\n");
 521                         return rc;
 522                 }
 523                 /* All static data goes to the BSS, which zero's the
 524                  * plaintext password out for us. */
 525         } else if (*sha1_passwd) {      // Base 16
 526                 int i;
 527                 i = strlen(sha1_passwd);
 528                 if (i != (SHA1_DIGEST_SIZE * 2)) {
 529                         seclvl_printk(0, KERN_ERR, "Received [%d] bytes; "
 530                                       "expected [%d] for the hexadecimal "
 531                                       "representation of the SHA1 hash of "
 532                                       "the password.\n",
 533                                       i, (SHA1_DIGEST_SIZE * 2));
 534                         return -EINVAL;
 535                 }
 536                 while ((i -= 2) + 2) {
 537                         unsigned char tmp;
 538                         tmp = sha1_passwd[i + 2];
 539                         sha1_passwd[i + 2] = '\0';
 540                         hashedPassword[i / 2] = (unsigned char)
 541                             simple_strtol(&sha1_passwd[i], NULL, 16);
 542                         sha1_passwd[i + 2] = tmp;
 543                 }
 544         }
 545         return 0;
 546 }
 547
 548 /**
 549  * securityfs registrations
 550  */
 551 struct dentry *dir_ino, *seclvl_ino, *passwd_ino;
 552
 553 static int seclvlfs_register(void)
 554 {
 555         dir_ino = securityfs_create_dir("seclvl", NULL);
 556         if (!dir_ino)
 557                 return -EFAULT;
 558
 559         seclvl_ino = securityfs_create_file("seclvl", S_IRUGO | S_IWUSR,
 560                                 dir_ino, &seclvl, &seclvl_file_ops);
 561         if (!seclvl_ino)
 562                 goto out_deldir;
 563         if (*passwd || *sha1_passwd) {
 564                 passwd_ino = securityfs_create_file("passwd", S_IRUGO | S_IWUSR,
 565                                 dir_ino, NULL, &passwd_file_ops);
 566                 if (!passwd_ino)
 567                         goto out_delf;
 568         }
 569         return 0;
 570
 571 out_deldir:
 572         securityfs_remove(dir_ino);
 573 out_delf:
 574         securityfs_remove(seclvl_ino);
 575
 576         return -EFAULT;
 577 }
 578
 579 /**
 580  * Initialize the seclvl module.
 581  */
 582 static int __init seclvl_init(void)
 583 {
 584         int rc = 0;
 585         if (verbosity < 0 || verbosity > 1) {
 586                 printk(KERN_ERR "Error: bad verbosity [%d]; only 0 or 1 "
 587                        "are valid values\n", verbosity);
 588                 rc = -EINVAL;
 589                 goto exit;
 590         }
 591         if (initlvl < -1 || initlvl > 2) {
 592                 seclvl_printk(0, KERN_ERR, "Error: bad initial securelevel "
 593                               "[%d].\n", initlvl);
 594                 rc = -EINVAL;
 595                 goto exit;
 596         }
 597         seclvl = initlvl;
 598         if ((rc = processPassword())) {
 599                 seclvl_printk(0, KERN_ERR, "Error processing the password "
 600                               "module parameter(s): rc = [%d]\n", rc);
 601                 goto exit;
 602         }
 603         /* register ourselves with the security framework */
 604         if (register_security(&seclvl_ops)) {
 605                 seclvl_printk(0, KERN_ERR,
 606                               "seclvl: Failure registering with the "
 607                               "kernel.\n");
 608                 /* try registering with primary module */
 609                 rc = mod_reg_security(MY_NAME, &seclvl_ops);
 610                 if (rc) {
 611                         seclvl_printk(0, KERN_ERR, "seclvl: Failure "
 612                                       "registering with primary security "
 613                                       "module.\n");
 614                         goto exit;
 615                 }               /* if primary module registered */
 616                 secondary = 1;
 617         }                       /* if we registered ourselves with the security framework */
 618         if ((rc = seclvlfs_register())) {
 619                 seclvl_printk(0, KERN_ERR, "Error registering with sysfs\n");
 620                 goto exit;
 621         }
 622         seclvl_printk(0, KERN_INFO, "seclvl: Successfully initialized.\n");
 623  exit:
 624         if (rc) {
 625                 printk(KERN_ERR "seclvl: Error during initialization: rc = "
 626                        "[%d]\n", rc);
 627         }
 628         return rc;
 629 }
 630
 631 /**
 632  * Remove the seclvl module.
 633  */
 634 static void __exit seclvl_exit(void)
 635 {
 636         securityfs_remove(seclvl_ino);
 637         if (*passwd || *sha1_passwd)
 638                 securityfs_remove(passwd_ino);
 639         securityfs_remove(dir_ino);
 640         if (secondary == 1) {
 641                 mod_unreg_security(MY_NAME, &seclvl_ops);
 642         } else if (unregister_security(&seclvl_ops)) {
 643                 seclvl_printk(0, KERN_INFO,
 644                               "seclvl: Failure unregistering with the "
 645                               "kernel\n");
 646         }
 647 }
 648
 649 module_init(seclvl_init);
 650 module_exit(seclvl_exit);
 651
 652 MODULE_AUTHOR("Michael A. Halcrow <mike@halcrow.us>");
 653 MODULE_DESCRIPTION("LSM implementation of the BSD Secure Levels");
 654 MODULE_LICENSE("GPL");