[PATCH v1 4/8] LSM: Maintain a table of LSM attribute data
Casey Schaufler
casey at schaufler-ca.com
Tue Oct 25 18:45:15 UTC 2022
As LSMs are registered add their lsm_id pointers to a table.
This will be used later for attribute reporting.
Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
---
include/linux/security.h | 17 +++++++++++++++++
security/security.c | 18 ++++++++++++++++++
2 files changed, 35 insertions(+)
diff --git a/include/linux/security.h b/include/linux/security.h
index ca1b7109c0db..e1678594d983 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -138,6 +138,23 @@ enum lockdown_reason {
extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1];
+#define LSMID_ENTRIES ( \
+ 1 + /* capabilities */ \
+ (IS_ENABLED(CONFIG_SECURITY_SELINUX) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_SMACK) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_TOMOYO) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_IMA) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_APPARMOR) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_YAMA) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_LOADPIN) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_SAFESETID) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_LOCKDOWN) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0))
+
+extern int lsm_id;
+extern struct lsm_id *lsm_idlist[];
+
/* These functions are in security/commoncap.c */
extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
int cap, unsigned int opts);
diff --git a/security/security.c b/security/security.c
index b2eb0ccd954b..bf206996a2af 100644
--- a/security/security.c
+++ b/security/security.c
@@ -28,6 +28,7 @@
#include <linux/backing-dev.h>
#include <linux/string.h>
#include <linux/msg.h>
+#include <uapi/linux/lsm.h>
#include <net/flow.h>
#define MAX_LSM_EVM_XATTR 2
@@ -320,6 +321,12 @@ static void __init lsm_early_task(struct task_struct *task);
static int lsm_append(const char *new, char **result);
+/*
+ * Current index to use while initializing the lsm id list.
+ */
+int lsm_id __lsm_ro_after_init;
+struct lsm_id *lsm_idlist[LSMID_ENTRIES] __lsm_ro_after_init;
+
static void __init ordered_lsm_init(void)
{
struct lsm_info **lsm;
@@ -364,6 +371,7 @@ static void __init ordered_lsm_init(void)
for (lsm = ordered_lsms; *lsm; lsm++)
initialize_lsm(*lsm);
+ init_debug("lsm count = %d\n", lsm_id);
kfree(ordered_lsms);
}
@@ -485,6 +493,16 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
{
int i;
+ /*
+ * A security module may call security_add_hooks() more
+ * than once. Landlock is one such case.
+ */
+ if (lsm_id == 0 || lsm_idlist[lsm_id - 1] != lsmid)
+ lsm_idlist[lsm_id++] = lsmid;
+
+ if (lsm_id > LSMID_ENTRIES)
+ panic("%s Too many LSMs registered.\n", __func__);
+
for (i = 0; i < count; i++) {
hooks[i].lsmid = lsmid;
hlist_add_tail_rcu(&hooks[i].list, hooks[i].head);
--
2.37.3
More information about the Linux-security-module-archive
mailing list