[PATCH 1/2] LSM: Initialize security_hook_heads upon registration.
Tetsuo Handa
penguin-kernel at I-love.SAKURA.ne.jp
Wed Mar 22 10:46:19 UTC 2017
"struct security_hook_heads" is an array of "struct list_head"
where elements can be initialized just before registration.
We might introduce different "struct security_hook_heads" for built-in
LSM modules and dynamically loadable LSM modules when we start allowing
dynamically loadable LSM modules. But even if we decide to use different
lists, there is no need to waste 350+ lines for initialization. Let's
initialize "struct security_hook_heads" just before registration.
Signed-off-by: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
Cc: John Johansen <john.johansen at canonical.com>
Cc: Kees Cook <keescook at chromium.org>
Cc: Paul Moore <paul at paul-moore.com>
Cc: Stephen Smalley <sds at tycho.nsa.gov>
Cc: Casey Schaufler <casey at schaufler-ca.com>
Cc: James Morris <james.l.morris at oracle.com>
---
security/security.c | 361 +---------------------------------------------------
1 file changed, 7 insertions(+), 354 deletions(-)
diff --git a/security/security.c b/security/security.c
index d6d18a3..2f15488 100644
--- a/security/security.c
+++ b/security/security.c
@@ -32,6 +32,7 @@
/* Maximum number of letters for an LSM name string */
#define SECURITY_NAME_MAX 10
+struct security_hook_heads security_hook_heads __lsm_ro_after_init;
char *lsm_names;
/* Boot-time LSM user choice */
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
@@ -54,6 +55,12 @@ static void __init do_security_initcalls(void)
*/
int __init security_init(void)
{
+ int i;
+ struct list_head *list = (struct list_head *) &security_hook_heads;
+
+ for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct list_head);
+ i++)
+ INIT_LIST_HEAD(&list[i]);
pr_info("Security Framework initialized\n");
/*
@@ -1627,357 +1634,3 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
actx);
}
#endif /* CONFIG_AUDIT */
-
-struct security_hook_heads security_hook_heads __lsm_ro_after_init = {
- .binder_set_context_mgr =
- LIST_HEAD_INIT(security_hook_heads.binder_set_context_mgr),
- .binder_transaction =
- LIST_HEAD_INIT(security_hook_heads.binder_transaction),
- .binder_transfer_binder =
- LIST_HEAD_INIT(security_hook_heads.binder_transfer_binder),
- .binder_transfer_file =
- LIST_HEAD_INIT(security_hook_heads.binder_transfer_file),
-
- .ptrace_access_check =
- LIST_HEAD_INIT(security_hook_heads.ptrace_access_check),
- .ptrace_traceme =
- LIST_HEAD_INIT(security_hook_heads.ptrace_traceme),
- .capget = LIST_HEAD_INIT(security_hook_heads.capget),
- .capset = LIST_HEAD_INIT(security_hook_heads.capset),
- .capable = LIST_HEAD_INIT(security_hook_heads.capable),
- .quotactl = LIST_HEAD_INIT(security_hook_heads.quotactl),
- .quota_on = LIST_HEAD_INIT(security_hook_heads.quota_on),
- .syslog = LIST_HEAD_INIT(security_hook_heads.syslog),
- .settime = LIST_HEAD_INIT(security_hook_heads.settime),
- .vm_enough_memory =
- LIST_HEAD_INIT(security_hook_heads.vm_enough_memory),
- .bprm_set_creds =
- LIST_HEAD_INIT(security_hook_heads.bprm_set_creds),
- .bprm_check_security =
- LIST_HEAD_INIT(security_hook_heads.bprm_check_security),
- .bprm_secureexec =
- LIST_HEAD_INIT(security_hook_heads.bprm_secureexec),
- .bprm_committing_creds =
- LIST_HEAD_INIT(security_hook_heads.bprm_committing_creds),
- .bprm_committed_creds =
- LIST_HEAD_INIT(security_hook_heads.bprm_committed_creds),
- .sb_alloc_security =
- LIST_HEAD_INIT(security_hook_heads.sb_alloc_security),
- .sb_free_security =
- LIST_HEAD_INIT(security_hook_heads.sb_free_security),
- .sb_copy_data = LIST_HEAD_INIT(security_hook_heads.sb_copy_data),
- .sb_remount = LIST_HEAD_INIT(security_hook_heads.sb_remount),
- .sb_kern_mount =
- LIST_HEAD_INIT(security_hook_heads.sb_kern_mount),
- .sb_show_options =
- LIST_HEAD_INIT(security_hook_heads.sb_show_options),
- .sb_statfs = LIST_HEAD_INIT(security_hook_heads.sb_statfs),
- .sb_mount = LIST_HEAD_INIT(security_hook_heads.sb_mount),
- .sb_umount = LIST_HEAD_INIT(security_hook_heads.sb_umount),
- .sb_pivotroot = LIST_HEAD_INIT(security_hook_heads.sb_pivotroot),
- .sb_set_mnt_opts =
- LIST_HEAD_INIT(security_hook_heads.sb_set_mnt_opts),
- .sb_clone_mnt_opts =
- LIST_HEAD_INIT(security_hook_heads.sb_clone_mnt_opts),
- .sb_parse_opts_str =
- LIST_HEAD_INIT(security_hook_heads.sb_parse_opts_str),
- .dentry_init_security =
- LIST_HEAD_INIT(security_hook_heads.dentry_init_security),
- .dentry_create_files_as =
- LIST_HEAD_INIT(security_hook_heads.dentry_create_files_as),
-#ifdef CONFIG_SECURITY_PATH
- .path_unlink = LIST_HEAD_INIT(security_hook_heads.path_unlink),
- .path_mkdir = LIST_HEAD_INIT(security_hook_heads.path_mkdir),
- .path_rmdir = LIST_HEAD_INIT(security_hook_heads.path_rmdir),
- .path_mknod = LIST_HEAD_INIT(security_hook_heads.path_mknod),
- .path_truncate =
- LIST_HEAD_INIT(security_hook_heads.path_truncate),
- .path_symlink = LIST_HEAD_INIT(security_hook_heads.path_symlink),
- .path_link = LIST_HEAD_INIT(security_hook_heads.path_link),
- .path_rename = LIST_HEAD_INIT(security_hook_heads.path_rename),
- .path_chmod = LIST_HEAD_INIT(security_hook_heads.path_chmod),
- .path_chown = LIST_HEAD_INIT(security_hook_heads.path_chown),
- .path_chroot = LIST_HEAD_INIT(security_hook_heads.path_chroot),
-#endif
- .inode_alloc_security =
- LIST_HEAD_INIT(security_hook_heads.inode_alloc_security),
- .inode_free_security =
- LIST_HEAD_INIT(security_hook_heads.inode_free_security),
- .inode_init_security =
- LIST_HEAD_INIT(security_hook_heads.inode_init_security),
- .inode_create = LIST_HEAD_INIT(security_hook_heads.inode_create),
- .inode_link = LIST_HEAD_INIT(security_hook_heads.inode_link),
- .inode_unlink = LIST_HEAD_INIT(security_hook_heads.inode_unlink),
- .inode_symlink =
- LIST_HEAD_INIT(security_hook_heads.inode_symlink),
- .inode_mkdir = LIST_HEAD_INIT(security_hook_heads.inode_mkdir),
- .inode_rmdir = LIST_HEAD_INIT(security_hook_heads.inode_rmdir),
- .inode_mknod = LIST_HEAD_INIT(security_hook_heads.inode_mknod),
- .inode_rename = LIST_HEAD_INIT(security_hook_heads.inode_rename),
- .inode_readlink =
- LIST_HEAD_INIT(security_hook_heads.inode_readlink),
- .inode_follow_link =
- LIST_HEAD_INIT(security_hook_heads.inode_follow_link),
- .inode_permission =
- LIST_HEAD_INIT(security_hook_heads.inode_permission),
- .inode_setattr =
- LIST_HEAD_INIT(security_hook_heads.inode_setattr),
- .inode_getattr =
- LIST_HEAD_INIT(security_hook_heads.inode_getattr),
- .inode_setxattr =
- LIST_HEAD_INIT(security_hook_heads.inode_setxattr),
- .inode_post_setxattr =
- LIST_HEAD_INIT(security_hook_heads.inode_post_setxattr),
- .inode_getxattr =
- LIST_HEAD_INIT(security_hook_heads.inode_getxattr),
- .inode_listxattr =
- LIST_HEAD_INIT(security_hook_heads.inode_listxattr),
- .inode_removexattr =
- LIST_HEAD_INIT(security_hook_heads.inode_removexattr),
- .inode_need_killpriv =
- LIST_HEAD_INIT(security_hook_heads.inode_need_killpriv),
- .inode_killpriv =
- LIST_HEAD_INIT(security_hook_heads.inode_killpriv),
- .inode_getsecurity =
- LIST_HEAD_INIT(security_hook_heads.inode_getsecurity),
- .inode_setsecurity =
- LIST_HEAD_INIT(security_hook_heads.inode_setsecurity),
- .inode_listsecurity =
- LIST_HEAD_INIT(security_hook_heads.inode_listsecurity),
- .inode_getsecid =
- LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
- .inode_copy_up =
- LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
- .inode_copy_up_xattr =
- LIST_HEAD_INIT(security_hook_heads.inode_copy_up_xattr),
- .file_permission =
- LIST_HEAD_INIT(security_hook_heads.file_permission),
- .file_alloc_security =
- LIST_HEAD_INIT(security_hook_heads.file_alloc_security),
- .file_free_security =
- LIST_HEAD_INIT(security_hook_heads.file_free_security),
- .file_ioctl = LIST_HEAD_INIT(security_hook_heads.file_ioctl),
- .mmap_addr = LIST_HEAD_INIT(security_hook_heads.mmap_addr),
- .mmap_file = LIST_HEAD_INIT(security_hook_heads.mmap_file),
- .file_mprotect =
- LIST_HEAD_INIT(security_hook_heads.file_mprotect),
- .file_lock = LIST_HEAD_INIT(security_hook_heads.file_lock),
- .file_fcntl = LIST_HEAD_INIT(security_hook_heads.file_fcntl),
- .file_set_fowner =
- LIST_HEAD_INIT(security_hook_heads.file_set_fowner),
- .file_send_sigiotask =
- LIST_HEAD_INIT(security_hook_heads.file_send_sigiotask),
- .file_receive = LIST_HEAD_INIT(security_hook_heads.file_receive),
- .file_open = LIST_HEAD_INIT(security_hook_heads.file_open),
- .task_create = LIST_HEAD_INIT(security_hook_heads.task_create),
- .task_free = LIST_HEAD_INIT(security_hook_heads.task_free),
- .cred_alloc_blank =
- LIST_HEAD_INIT(security_hook_heads.cred_alloc_blank),
- .cred_free = LIST_HEAD_INIT(security_hook_heads.cred_free),
- .cred_prepare = LIST_HEAD_INIT(security_hook_heads.cred_prepare),
- .cred_transfer =
- LIST_HEAD_INIT(security_hook_heads.cred_transfer),
- .kernel_act_as =
- LIST_HEAD_INIT(security_hook_heads.kernel_act_as),
- .kernel_create_files_as =
- LIST_HEAD_INIT(security_hook_heads.kernel_create_files_as),
- .kernel_module_request =
- LIST_HEAD_INIT(security_hook_heads.kernel_module_request),
- .kernel_read_file =
- LIST_HEAD_INIT(security_hook_heads.kernel_read_file),
- .kernel_post_read_file =
- LIST_HEAD_INIT(security_hook_heads.kernel_post_read_file),
- .task_fix_setuid =
- LIST_HEAD_INIT(security_hook_heads.task_fix_setuid),
- .task_setpgid = LIST_HEAD_INIT(security_hook_heads.task_setpgid),
- .task_getpgid = LIST_HEAD_INIT(security_hook_heads.task_getpgid),
- .task_getsid = LIST_HEAD_INIT(security_hook_heads.task_getsid),
- .task_getsecid =
- LIST_HEAD_INIT(security_hook_heads.task_getsecid),
- .task_setnice = LIST_HEAD_INIT(security_hook_heads.task_setnice),
- .task_setioprio =
- LIST_HEAD_INIT(security_hook_heads.task_setioprio),
- .task_getioprio =
- LIST_HEAD_INIT(security_hook_heads.task_getioprio),
- .task_prlimit =
- LIST_HEAD_INIT(security_hook_heads.task_prlimit),
- .task_setrlimit =
- LIST_HEAD_INIT(security_hook_heads.task_setrlimit),
- .task_setscheduler =
- LIST_HEAD_INIT(security_hook_heads.task_setscheduler),
- .task_getscheduler =
- LIST_HEAD_INIT(security_hook_heads.task_getscheduler),
- .task_movememory =
- LIST_HEAD_INIT(security_hook_heads.task_movememory),
- .task_kill = LIST_HEAD_INIT(security_hook_heads.task_kill),
- .task_prctl = LIST_HEAD_INIT(security_hook_heads.task_prctl),
- .task_to_inode =
- LIST_HEAD_INIT(security_hook_heads.task_to_inode),
- .ipc_permission =
- LIST_HEAD_INIT(security_hook_heads.ipc_permission),
- .ipc_getsecid = LIST_HEAD_INIT(security_hook_heads.ipc_getsecid),
- .msg_msg_alloc_security =
- LIST_HEAD_INIT(security_hook_heads.msg_msg_alloc_security),
- .msg_msg_free_security =
- LIST_HEAD_INIT(security_hook_heads.msg_msg_free_security),
- .msg_queue_alloc_security =
- LIST_HEAD_INIT(security_hook_heads.msg_queue_alloc_security),
- .msg_queue_free_security =
- LIST_HEAD_INIT(security_hook_heads.msg_queue_free_security),
- .msg_queue_associate =
- LIST_HEAD_INIT(security_hook_heads.msg_queue_associate),
- .msg_queue_msgctl =
- LIST_HEAD_INIT(security_hook_heads.msg_queue_msgctl),
- .msg_queue_msgsnd =
- LIST_HEAD_INIT(security_hook_heads.msg_queue_msgsnd),
- .msg_queue_msgrcv =
- LIST_HEAD_INIT(security_hook_heads.msg_queue_msgrcv),
- .shm_alloc_security =
- LIST_HEAD_INIT(security_hook_heads.shm_alloc_security),
- .shm_free_security =
- LIST_HEAD_INIT(security_hook_heads.shm_free_security),
- .shm_associate =
- LIST_HEAD_INIT(security_hook_heads.shm_associate),
- .shm_shmctl = LIST_HEAD_INIT(security_hook_heads.shm_shmctl),
- .shm_shmat = LIST_HEAD_INIT(security_hook_heads.shm_shmat),
- .sem_alloc_security =
- LIST_HEAD_INIT(security_hook_heads.sem_alloc_security),
- .sem_free_security =
- LIST_HEAD_INIT(security_hook_heads.sem_free_security),
- .sem_associate =
- LIST_HEAD_INIT(security_hook_heads.sem_associate),
- .sem_semctl = LIST_HEAD_INIT(security_hook_heads.sem_semctl),
- .sem_semop = LIST_HEAD_INIT(security_hook_heads.sem_semop),
- .netlink_send = LIST_HEAD_INIT(security_hook_heads.netlink_send),
- .d_instantiate =
- LIST_HEAD_INIT(security_hook_heads.d_instantiate),
- .getprocattr = LIST_HEAD_INIT(security_hook_heads.getprocattr),
- .setprocattr = LIST_HEAD_INIT(security_hook_heads.setprocattr),
- .ismaclabel = LIST_HEAD_INIT(security_hook_heads.ismaclabel),
- .secid_to_secctx =
- LIST_HEAD_INIT(security_hook_heads.secid_to_secctx),
- .secctx_to_secid =
- LIST_HEAD_INIT(security_hook_heads.secctx_to_secid),
- .release_secctx =
- LIST_HEAD_INIT(security_hook_heads.release_secctx),
- .inode_invalidate_secctx =
- LIST_HEAD_INIT(security_hook_heads.inode_invalidate_secctx),
- .inode_notifysecctx =
- LIST_HEAD_INIT(security_hook_heads.inode_notifysecctx),
- .inode_setsecctx =
- LIST_HEAD_INIT(security_hook_heads.inode_setsecctx),
- .inode_getsecctx =
- LIST_HEAD_INIT(security_hook_heads.inode_getsecctx),
-#ifdef CONFIG_SECURITY_NETWORK
- .unix_stream_connect =
- LIST_HEAD_INIT(security_hook_heads.unix_stream_connect),
- .unix_may_send =
- LIST_HEAD_INIT(security_hook_heads.unix_may_send),
- .socket_create =
- LIST_HEAD_INIT(security_hook_heads.socket_create),
- .socket_post_create =
- LIST_HEAD_INIT(security_hook_heads.socket_post_create),
- .socket_bind = LIST_HEAD_INIT(security_hook_heads.socket_bind),
- .socket_connect =
- LIST_HEAD_INIT(security_hook_heads.socket_connect),
- .socket_listen =
- LIST_HEAD_INIT(security_hook_heads.socket_listen),
- .socket_accept =
- LIST_HEAD_INIT(security_hook_heads.socket_accept),
- .socket_sendmsg =
- LIST_HEAD_INIT(security_hook_heads.socket_sendmsg),
- .socket_recvmsg =
- LIST_HEAD_INIT(security_hook_heads.socket_recvmsg),
- .socket_getsockname =
- LIST_HEAD_INIT(security_hook_heads.socket_getsockname),
- .socket_getpeername =
- LIST_HEAD_INIT(security_hook_heads.socket_getpeername),
- .socket_getsockopt =
- LIST_HEAD_INIT(security_hook_heads.socket_getsockopt),
- .socket_setsockopt =
- LIST_HEAD_INIT(security_hook_heads.socket_setsockopt),
- .socket_shutdown =
- LIST_HEAD_INIT(security_hook_heads.socket_shutdown),
- .socket_sock_rcv_skb =
- LIST_HEAD_INIT(security_hook_heads.socket_sock_rcv_skb),
- .socket_getpeersec_stream =
- LIST_HEAD_INIT(security_hook_heads.socket_getpeersec_stream),
- .socket_getpeersec_dgram =
- LIST_HEAD_INIT(security_hook_heads.socket_getpeersec_dgram),
- .sk_alloc_security =
- LIST_HEAD_INIT(security_hook_heads.sk_alloc_security),
- .sk_free_security =
- LIST_HEAD_INIT(security_hook_heads.sk_free_security),
- .sk_clone_security =
- LIST_HEAD_INIT(security_hook_heads.sk_clone_security),
- .sk_getsecid = LIST_HEAD_INIT(security_hook_heads.sk_getsecid),
- .sock_graft = LIST_HEAD_INIT(security_hook_heads.sock_graft),
- .inet_conn_request =
- LIST_HEAD_INIT(security_hook_heads.inet_conn_request),
- .inet_csk_clone =
- LIST_HEAD_INIT(security_hook_heads.inet_csk_clone),
- .inet_conn_established =
- LIST_HEAD_INIT(security_hook_heads.inet_conn_established),
- .secmark_relabel_packet =
- LIST_HEAD_INIT(security_hook_heads.secmark_relabel_packet),
- .secmark_refcount_inc =
- LIST_HEAD_INIT(security_hook_heads.secmark_refcount_inc),
- .secmark_refcount_dec =
- LIST_HEAD_INIT(security_hook_heads.secmark_refcount_dec),
- .req_classify_flow =
- LIST_HEAD_INIT(security_hook_heads.req_classify_flow),
- .tun_dev_alloc_security =
- LIST_HEAD_INIT(security_hook_heads.tun_dev_alloc_security),
- .tun_dev_free_security =
- LIST_HEAD_INIT(security_hook_heads.tun_dev_free_security),
- .tun_dev_create =
- LIST_HEAD_INIT(security_hook_heads.tun_dev_create),
- .tun_dev_attach_queue =
- LIST_HEAD_INIT(security_hook_heads.tun_dev_attach_queue),
- .tun_dev_attach =
- LIST_HEAD_INIT(security_hook_heads.tun_dev_attach),
- .tun_dev_open = LIST_HEAD_INIT(security_hook_heads.tun_dev_open),
-#endif /* CONFIG_SECURITY_NETWORK */
-#ifdef CONFIG_SECURITY_NETWORK_XFRM
- .xfrm_policy_alloc_security =
- LIST_HEAD_INIT(security_hook_heads.xfrm_policy_alloc_security),
- .xfrm_policy_clone_security =
- LIST_HEAD_INIT(security_hook_heads.xfrm_policy_clone_security),
- .xfrm_policy_free_security =
- LIST_HEAD_INIT(security_hook_heads.xfrm_policy_free_security),
- .xfrm_policy_delete_security =
- LIST_HEAD_INIT(security_hook_heads.xfrm_policy_delete_security),
- .xfrm_state_alloc =
- LIST_HEAD_INIT(security_hook_heads.xfrm_state_alloc),
- .xfrm_state_alloc_acquire =
- LIST_HEAD_INIT(security_hook_heads.xfrm_state_alloc_acquire),
- .xfrm_state_free_security =
- LIST_HEAD_INIT(security_hook_heads.xfrm_state_free_security),
- .xfrm_state_delete_security =
- LIST_HEAD_INIT(security_hook_heads.xfrm_state_delete_security),
- .xfrm_policy_lookup =
- LIST_HEAD_INIT(security_hook_heads.xfrm_policy_lookup),
- .xfrm_state_pol_flow_match =
- LIST_HEAD_INIT(security_hook_heads.xfrm_state_pol_flow_match),
- .xfrm_decode_session =
- LIST_HEAD_INIT(security_hook_heads.xfrm_decode_session),
-#endif /* CONFIG_SECURITY_NETWORK_XFRM */
-#ifdef CONFIG_KEYS
- .key_alloc = LIST_HEAD_INIT(security_hook_heads.key_alloc),
- .key_free = LIST_HEAD_INIT(security_hook_heads.key_free),
- .key_permission =
- LIST_HEAD_INIT(security_hook_heads.key_permission),
- .key_getsecurity =
- LIST_HEAD_INIT(security_hook_heads.key_getsecurity),
-#endif /* CONFIG_KEYS */
-#ifdef CONFIG_AUDIT
- .audit_rule_init =
- LIST_HEAD_INIT(security_hook_heads.audit_rule_init),
- .audit_rule_known =
- LIST_HEAD_INIT(security_hook_heads.audit_rule_known),
- .audit_rule_match =
- LIST_HEAD_INIT(security_hook_heads.audit_rule_match),
- .audit_rule_free =
- LIST_HEAD_INIT(security_hook_heads.audit_rule_free),
-#endif /* CONFIG_AUDIT */
-};
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list