[PATCH v19 02/23] LSM: Create and manage the lsmblob data structure.

Casey Schaufler casey at schaufler-ca.com
Mon Jul 27 21:04:33 UTC 2020 

On 7/27/2020 9:12 AM, Stephen Smalley wrote:
> On Fri, Jul 24, 2020 at 4:35 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
>> When more than one security module is exporting data to
>> audit and networking sub-systems a single 32 bit integer
>> is no longer sufficient to represent the data. Add a
>> structure to be used instead.
>>
>> The lsmblob structure is currently an array of
>> u32 "secids". There is an entry for each of the
>> security modules built into the system that would
>> use secids if active. The system assigns the module
>> a "slot" when it registers hooks. If modules are
>> compiled in but not registered there will be unused
>> slots.
>>
>> A new lsm_id structure, which contains the name
>> of the LSM and its slot number, is created. There
>> is an instance for each LSM, which assigns the name
>> and passes it to the infrastructure to set the slot.
>>
>> The audit rules data is expanded to use an array of
>> security module data rather than a single instance.
>> Because IMA uses the audit rule functions it is
>> affected as well.
>>
>> Acked-by: Stephen Smalley <sds at tycho.nsa.gov>
>> Acked-by: Paul Moore <paul at paul-moore.com>
>> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> With CONFIG_BPF_LSM=y:

Thanks. I am surprised that this config option isn't
under security. No problem, an easy fix.

>
> security/bpf/hooks.c: In function ‘bpf_lsm_init’:
> security/bpf/hooks.c:18:63: error: passing argument 3 of
> ‘security_add_hooks’ from incompatible pointer type
> [-Werror=incompatible-pointer-types]
>    18 |  security_add_hooks(bpf_lsm_hooks, ARRAY_SIZE(bpf_lsm_hooks), "bpf");
>       |                                                               ^~~~~
>       |                                                               |
>       |                                                               char *
> In file included from security/bpf/hooks.c:6:
> ./include/linux/lsm_hooks.h:1592:26: note: expected ‘struct lsm_id *’
> but argument is of type ‘char *’
>  1592 |           struct lsm_id *lsmid);
>       |           ~~~~~~~~~~~~~~~^~~~~

More information about the Linux-security-module-archive mailing list