[PATCH 01/10] security: Export security_hook_heads
Tetsuo Handa
penguin-kernel at I-love.SAKURA.ne.jp
Wed Nov 2 17:10:16 UTC 2022
LSM modules which can be loaded using /sbin/insmod need to be able to
access security_hook_heads, for security_add_hooks() is marked as __init
function which cannot be accessed from loadable kernel modules.
LSM modules which can be loaded using /sbin/insmod are developed in order
to make it possible to enable LSM modules without replacing or rebuilding
the whole kernel, for distributors disable LSM modules which they cannot
afford supporting via kernel config options while users cannot afford
enabling LSM modules which they want to use by replacing or rebuilding
the whole kernel.
Now that I'm demonstrating CaitSith as one of such LSM modules, export
the security_hook_heads list.
Unlike introducing a LSM manager module which could provide ability to
load/unload loadable LSM modules, exporting only security_hook_heads does
not affect performance of built-in LSM modules and will little increase
the kernel size. Therefore, no kernel config option for this change.
Distributors who believe that loadable LSM modules are unacceptable might
try to make it harder to use loadable LSM modules via unexporting
security_hook_heads. But we cannot hide security_hook_heads perfectly, for
binary code analysis allows loadable kernel modules to identify the
address of security_hook_heads. It is just a matter of cleanness of code.
Signed-off-by: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
---
security/security.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/security/security.c b/security/security.c
index 79d82cb6e469..fd7b9b1f8348 100644
--- a/security/security.c
+++ b/security/security.c
@@ -75,6 +75,7 @@ const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
};
struct security_hook_heads security_hook_heads __lsm_ro_after_init;
+EXPORT_SYMBOL_GPL(security_hook_heads);
static BLOCKING_NOTIFIER_HEAD(blocking_lsm_notifier_chain);
static struct kmem_cache *lsm_file_cache;
--
2.18.4
More information about the Linux-security-module-archive
mailing list