From: Kees Cook <keescook@chromium.org>
To: James Morris <jmorris@namei.org>
Cc: Kees Cook <keescook@chromium.org>,
Casey Schaufler <casey@schaufler-ca.com>,
John Johansen <john.johansen@canonical.com>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
Paul Moore <paul@paul-moore.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
"Schaufler, Casey" <casey.schaufler@intel.com>,
LSM <linux-security-module@vger.kernel.org>,
LKLM <linux-kernel@vger.kernel.org>
Subject: [PATCH 11/18] LSM: Lift LSM selection out of individual LSMs
Date: Sat, 15 Sep 2018 17:30:52 -0700 [thread overview]
Message-ID: <20180916003059.1046-12-keescook@chromium.org> (raw)
In-Reply-To: <20180916003059.1046-1-keescook@chromium.org>
In order to adjust LSM selection logic in the future, this moves the
selection logic up out of the individual LSMs, making their init functions
only run when actually enabled.
Signed-off-by: Kees Cook <keescook@chromium.org>
---
include/linux/lsm_hooks.h | 1 -
security/apparmor/lsm.c | 6 ---
security/security.c | 75 ++++++++++++++++++++++++++------------
security/selinux/hooks.c | 10 -----
security/smack/smack_lsm.c | 3 --
security/tomoyo/tomoyo.c | 2 -
6 files changed, 51 insertions(+), 46 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 8a3a6cd26f03..6e71e1c47fa1 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -2094,7 +2094,6 @@ static inline void security_delete_hooks(struct security_hook_list *hooks,
#define __lsm_ro_after_init __ro_after_init
#endif /* CONFIG_SECURITY_WRITABLE_HOOKS */
-extern int __init security_module_enable(const char *module);
extern void __init capability_add_hooks(void);
#ifdef CONFIG_SECURITY_YAMA
extern void __init yama_add_hooks(void);
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 6cd630b34c3b..56c0982b48cd 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1542,12 +1542,6 @@ static int __init apparmor_init(void)
{
int error;
- if (!apparmor_enabled || !security_module_enable("apparmor")) {
- aa_info_message("AppArmor disabled by boot time parameter");
- apparmor_enabled = false;
- return 0;
- }
-
aa_secids_init();
error = aa_setup_dfa_engine();
diff --git a/security/security.c b/security/security.c
index da2a923f2609..3fedbee5f3ec 100644
--- a/security/security.c
+++ b/security/security.c
@@ -43,13 +43,63 @@ char *lsm_names;
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
CONFIG_DEFAULT_SECURITY;
+static struct lsm_info *exclusive __initdata;
+
+/* Mark an LSM's enabled flag, if it exists. */
+static void __init set_enabled(struct lsm_info *lsm, bool enabled)
+{
+ if (lsm->enabled)
+ *lsm->enabled = enabled;
+}
+
+/* Is an LSM allowed to be enabled? */
+static bool __init lsm_enabled(struct lsm_info *lsm)
+{
+ /* Report explicit disabling. */
+ if (lsm->enabled && !*lsm->enabled) {
+ pr_info("%s disabled with boot parameter\n", lsm->name);
+ return false;
+ }
+
+ /* If LSM isn't exclusive, ignore exclusive LSM selection rules. */
+ if (lsm->type != LSM_TYPE_EXCLUSIVE)
+ return true;
+
+ /* Disabled if another exclusive LSM already selected. */
+ if (exclusive)
+ return false;
+
+ /* Disabled if this LSM isn't the chosen one. */
+ if (strcmp(lsm->name, chosen_lsm) != 0)
+ return false;
+
+ return true;
+}
+
+/* Check if LSM should be enabled. Mark any that are disabled. */
+static void __init maybe_enable_lsm(struct lsm_info *lsm)
+{
+ int enabled = lsm_enabled(lsm);
+
+ /* Record enablement. */
+ set_enabled(lsm, enabled);
+
+ /* If selected, initialize the LSM. */
+ if (enabled) {
+ if (lsm->type == LSM_TYPE_EXCLUSIVE) {
+ exclusive = lsm;
+ }
+ lsm->init();
+ }
+}
+
static void __init lsm_init(enum lsm_type type)
{
struct lsm_info *lsm;
for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
if (lsm->type == type)
- lsm->init();
+ maybe_enable_lsm(lsm);
}
}
@@ -128,29 +178,6 @@ static int lsm_append(char *new, char **result)
return 0;
}
-/**
- * security_module_enable - Load given security module on boot ?
- * @module: the name of the module
- *
- * Each LSM must pass this method before registering its own operations
- * to avoid security registration races. This method may also be used
- * to check if your LSM is currently loaded during kernel initialization.
- *
- * Returns:
- *
- * true if:
- *
- * - The passed LSM is the one chosen by user at boot time,
- * - or the passed LSM is configured as the default and the user did not
- * choose an alternate LSM at boot time.
- *
- * Otherwise, return false.
- */
-int __init security_module_enable(const char *module)
-{
- return !strcmp(module, chosen_lsm);
-}
-
/**
* security_add_hooks - Add a modules hooks to the hook lists.
* @hooks: the hooks to add
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 78b5afc188f3..5478abf51f3a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -7133,16 +7133,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
static __init int selinux_init(void)
{
- if (!security_module_enable("selinux")) {
- selinux_enabled = 0;
- return 0;
- }
-
- if (!selinux_enabled) {
- pr_info("SELinux: Disabled at boot.\n");
- return 0;
- }
-
pr_info("SELinux: Initializing.\n");
memset(&selinux_state, 0, sizeof(selinux_state));
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 1e1ace718e75..6e127c357ca2 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4834,9 +4834,6 @@ static __init int smack_init(void)
struct cred *cred;
struct task_smack *tsp;
- if (!security_module_enable("smack"))
- return 0;
-
smack_inode_cache = KMEM_CACHE(inode_smack, 0);
if (!smack_inode_cache)
return -ENOMEM;
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index a280d4eab456..0471390409c5 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -540,8 +540,6 @@ static int __init tomoyo_init(void)
{
struct cred *cred = (struct cred *) current_cred();
- if (!security_module_enable("tomoyo"))
- return 0;
/* register ourselves with the security framework */
security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo");
printk(KERN_INFO "TOMOYO Linux initialized\n");
--
2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: keescook@chromium.org (Kees Cook)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 11/18] LSM: Lift LSM selection out of individual LSMs
Date: Sat, 15 Sep 2018 17:30:52 -0700 [thread overview]
Message-ID: <20180916003059.1046-12-keescook@chromium.org> (raw)
In-Reply-To: <20180916003059.1046-1-keescook@chromium.org>
In order to adjust LSM selection logic in the future, this moves the
selection logic up out of the individual LSMs, making their init functions
only run when actually enabled.
Signed-off-by: Kees Cook <keescook@chromium.org>
---
include/linux/lsm_hooks.h | 1 -
security/apparmor/lsm.c | 6 ---
security/security.c | 75 ++++++++++++++++++++++++++------------
security/selinux/hooks.c | 10 -----
security/smack/smack_lsm.c | 3 --
security/tomoyo/tomoyo.c | 2 -
6 files changed, 51 insertions(+), 46 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 8a3a6cd26f03..6e71e1c47fa1 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -2094,7 +2094,6 @@ static inline void security_delete_hooks(struct security_hook_list *hooks,
#define __lsm_ro_after_init __ro_after_init
#endif /* CONFIG_SECURITY_WRITABLE_HOOKS */
-extern int __init security_module_enable(const char *module);
extern void __init capability_add_hooks(void);
#ifdef CONFIG_SECURITY_YAMA
extern void __init yama_add_hooks(void);
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 6cd630b34c3b..56c0982b48cd 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1542,12 +1542,6 @@ static int __init apparmor_init(void)
{
int error;
- if (!apparmor_enabled || !security_module_enable("apparmor")) {
- aa_info_message("AppArmor disabled by boot time parameter");
- apparmor_enabled = false;
- return 0;
- }
-
aa_secids_init();
error = aa_setup_dfa_engine();
diff --git a/security/security.c b/security/security.c
index da2a923f2609..3fedbee5f3ec 100644
--- a/security/security.c
+++ b/security/security.c
@@ -43,13 +43,63 @@ char *lsm_names;
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
CONFIG_DEFAULT_SECURITY;
+static struct lsm_info *exclusive __initdata;
+
+/* Mark an LSM's enabled flag, if it exists. */
+static void __init set_enabled(struct lsm_info *lsm, bool enabled)
+{
+ if (lsm->enabled)
+ *lsm->enabled = enabled;
+}
+
+/* Is an LSM allowed to be enabled? */
+static bool __init lsm_enabled(struct lsm_info *lsm)
+{
+ /* Report explicit disabling. */
+ if (lsm->enabled && !*lsm->enabled) {
+ pr_info("%s disabled with boot parameter\n", lsm->name);
+ return false;
+ }
+
+ /* If LSM isn't exclusive, ignore exclusive LSM selection rules. */
+ if (lsm->type != LSM_TYPE_EXCLUSIVE)
+ return true;
+
+ /* Disabled if another exclusive LSM already selected. */
+ if (exclusive)
+ return false;
+
+ /* Disabled if this LSM isn't the chosen one. */
+ if (strcmp(lsm->name, chosen_lsm) != 0)
+ return false;
+
+ return true;
+}
+
+/* Check if LSM should be enabled. Mark any that are disabled. */
+static void __init maybe_enable_lsm(struct lsm_info *lsm)
+{
+ int enabled = lsm_enabled(lsm);
+
+ /* Record enablement. */
+ set_enabled(lsm, enabled);
+
+ /* If selected, initialize the LSM. */
+ if (enabled) {
+ if (lsm->type == LSM_TYPE_EXCLUSIVE) {
+ exclusive = lsm;
+ }
+ lsm->init();
+ }
+}
+
static void __init lsm_init(enum lsm_type type)
{
struct lsm_info *lsm;
for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
if (lsm->type == type)
- lsm->init();
+ maybe_enable_lsm(lsm);
}
}
@@ -128,29 +178,6 @@ static int lsm_append(char *new, char **result)
return 0;
}
-/**
- * security_module_enable - Load given security module on boot ?
- * @module: the name of the module
- *
- * Each LSM must pass this method before registering its own operations
- * to avoid security registration races. This method may also be used
- * to check if your LSM is currently loaded during kernel initialization.
- *
- * Returns:
- *
- * true if:
- *
- * - The passed LSM is the one chosen by user at boot time,
- * - or the passed LSM is configured as the default and the user did not
- * choose an alternate LSM at boot time.
- *
- * Otherwise, return false.
- */
-int __init security_module_enable(const char *module)
-{
- return !strcmp(module, chosen_lsm);
-}
-
/**
* security_add_hooks - Add a modules hooks to the hook lists.
* @hooks: the hooks to add
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 78b5afc188f3..5478abf51f3a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -7133,16 +7133,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
static __init int selinux_init(void)
{
- if (!security_module_enable("selinux")) {
- selinux_enabled = 0;
- return 0;
- }
-
- if (!selinux_enabled) {
- pr_info("SELinux: Disabled at boot.\n");
- return 0;
- }
-
pr_info("SELinux: Initializing.\n");
memset(&selinux_state, 0, sizeof(selinux_state));
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 1e1ace718e75..6e127c357ca2 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4834,9 +4834,6 @@ static __init int smack_init(void)
struct cred *cred;
struct task_smack *tsp;
- if (!security_module_enable("smack"))
- return 0;
-
smack_inode_cache = KMEM_CACHE(inode_smack, 0);
if (!smack_inode_cache)
return -ENOMEM;
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index a280d4eab456..0471390409c5 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -540,8 +540,6 @@ static int __init tomoyo_init(void)
{
struct cred *cred = (struct cred *) current_cred();
- if (!security_module_enable("tomoyo"))
- return 0;
/* register ourselves with the security framework */
security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo");
printk(KERN_INFO "TOMOYO Linux initialized\n");
--
2.17.1
next prev parent reply other threads:[~2018-09-16 0:31 UTC|newest]
Thread overview: 100+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-16 0:30 [PATCH 00/18] LSM: Prepare for explict LSM ordering Kees Cook
2018-09-16 0:30 ` Kees Cook
2018-09-16 0:30 ` [PATCH 01/18] vmlinux.lds.h: Avoid copy/paste of security_init section Kees Cook
2018-09-16 0:30 ` Kees Cook
2018-09-16 0:30 ` [PATCH 02/18] LSM: Rename .security_initcall section to .lsm_info Kees Cook
2018-09-16 0:30 ` Kees Cook
2018-09-16 0:30 ` [PATCH 03/18] LSM: Remove initcall tracing Kees Cook
2018-09-16 0:30 ` Kees Cook
2018-09-16 0:30 ` [PATCH 04/18] LSM: Convert from initcall to struct lsm_info Kees Cook
2018-09-16 0:30 ` Kees Cook
2018-09-16 0:30 ` [PATCH 05/18] vmlinux.lds.h: Move LSM_TABLE into INIT_DATA Kees Cook
2018-09-16 0:30 ` Kees Cook
2018-09-16 0:30 ` [PATCH 06/18] LSM: Convert security_initcall() into DEFINE_LSM() Kees Cook
2018-09-16 0:30 ` Kees Cook
2018-09-16 0:30 ` [PATCH 07/18] LSM: Add minor LSM initialization loop Kees Cook
2018-09-16 0:30 ` Kees Cook
2018-09-16 1:27 ` Jann Horn
2018-09-16 1:27 ` Jann Horn
2018-09-16 1:49 ` Kees Cook
2018-09-16 1:49 ` Kees Cook
2018-09-16 0:30 ` [PATCH 08/18] integrity: Initialize as LSM_TYPE_MINOR Kees Cook
2018-09-16 0:30 ` Kees Cook
2018-09-16 0:30 ` [PATCH 09/18] LSM: Record LSM name in struct lsm_info Kees Cook
2018-09-16 0:30 ` Kees Cook
2018-09-16 0:30 ` [PATCH 10/18] LSM: Plumb visibility into optional "enabled" state Kees Cook
2018-09-16 0:30 ` Kees Cook
2018-09-16 0:30 ` Kees Cook [this message]
2018-09-16 0:30 ` [PATCH 11/18] LSM: Lift LSM selection out of individual LSMs Kees Cook
2018-09-16 1:32 ` Jann Horn
2018-09-16 1:32 ` Jann Horn
2018-09-16 1:47 ` Kees Cook
2018-09-16 1:47 ` Kees Cook
2018-09-16 0:30 ` [PATCH 12/18] LSM: Introduce ordering details in struct lsm_info Kees Cook
2018-09-16 0:30 ` Kees Cook
2018-09-16 0:30 ` [PATCH 13/18] LoadPin: Initialize as LSM_TYPE_MINOR Kees Cook
2018-09-16 0:30 ` Kees Cook
2018-09-16 0:30 ` [PATCH 14/18] Yama: " Kees Cook
2018-09-16 0:30 ` Kees Cook
2018-09-16 0:30 ` [PATCH 15/18] capability: " Kees Cook
2018-09-16 0:30 ` Kees Cook
2018-09-16 0:30 ` [PATCH 16/18] LSM: Allow arbitrary LSM ordering Kees Cook
2018-09-16 0:30 ` Kees Cook
2018-09-16 18:49 ` Casey Schaufler
2018-09-16 18:49 ` Casey Schaufler
2018-09-16 23:00 ` Kees Cook
2018-09-16 23:00 ` Kees Cook
2018-09-17 0:46 ` Tetsuo Handa
2018-09-17 0:46 ` Tetsuo Handa
2018-09-17 15:06 ` Casey Schaufler
2018-09-17 15:06 ` Casey Schaufler
2018-09-17 16:24 ` Kees Cook
2018-09-17 16:24 ` Kees Cook
2018-09-17 17:13 ` Casey Schaufler
2018-09-17 17:13 ` Casey Schaufler
2018-09-17 18:14 ` Kees Cook
2018-09-17 18:14 ` Kees Cook
2018-09-17 19:23 ` Casey Schaufler
2018-09-17 19:23 ` Casey Schaufler
2018-09-17 19:55 ` John Johansen
2018-09-17 19:55 ` John Johansen
2018-09-17 21:57 ` Casey Schaufler
2018-09-17 21:57 ` Casey Schaufler
2018-09-17 22:36 ` John Johansen
2018-09-17 22:36 ` John Johansen
2018-09-17 23:10 ` Mickaël Salaün
2018-09-17 23:20 ` Kees Cook
2018-09-17 23:20 ` Kees Cook
2018-09-17 23:26 ` John Johansen
2018-09-17 23:26 ` John Johansen
2018-09-17 23:28 ` Kees Cook
2018-09-17 23:28 ` Kees Cook
2018-09-17 23:40 ` Casey Schaufler
2018-09-17 23:40 ` Casey Schaufler
2018-09-17 23:30 ` Casey Schaufler
2018-09-17 23:30 ` Casey Schaufler
2018-09-17 23:47 ` Mickaël Salaün
2018-09-18 0:00 ` Casey Schaufler
2018-09-18 0:00 ` Casey Schaufler
2018-09-17 23:25 ` John Johansen
2018-09-17 23:25 ` John Johansen
2018-09-17 23:25 ` Casey Schaufler
2018-09-17 23:25 ` Casey Schaufler
2018-09-18 0:00 ` Kees Cook
2018-09-18 0:00 ` Kees Cook
2018-09-18 0:24 ` Casey Schaufler
2018-09-18 0:24 ` Casey Schaufler
2018-09-18 0:45 ` Kees Cook
2018-09-18 0:45 ` Kees Cook
2018-09-18 0:57 ` Casey Schaufler
2018-09-18 0:57 ` Casey Schaufler
2018-09-18 0:59 ` Kees Cook
2018-09-18 0:59 ` Kees Cook
2018-09-18 1:08 ` John Johansen
2018-09-18 1:08 ` John Johansen
2018-09-17 19:35 ` John Johansen
2018-09-17 19:35 ` John Johansen
2018-09-16 0:30 ` [PATCH 17/18] LSM: Provide init debugging Kees Cook
2018-09-16 0:30 ` Kees Cook
2018-09-16 0:30 ` [PATCH 18/18] LSM: Don't ignore initialization failures Kees Cook
2018-09-16 0:30 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180916003059.1046-12-keescook@chromium.org \
--to=keescook@chromium.org \
--cc=casey.schaufler@intel.com \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.