[PATCH v9 02/11] LSM: Maintain a table of LSM attribute data
Kees Cook
keescook at chromium.org
Fri Apr 21 19:20:22 UTC 2023
On Fri, Apr 21, 2023 at 10:42:50AM -0700, Casey Schaufler wrote:
> As LSMs are registered add their lsm_id pointers to a table.
> This will be used later for attribute reporting.
>
> Determine the number of possible security modules based on
> their respective CONFIG options. This allows the number to be
> known at build time. This allows data structures and tables
> to use the constant.
>
> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
Reviewed-by: Kees Cook <keescook at chromium.org>
Nit below...
> [...]
> @@ -513,6 +531,15 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
> {
> int i;
>
> + if (lsm_active_cnt >= LSM_COUNT)
> + panic("%s Too many LSMs registered.\n", __func__);
> + /*
> + * A security module may call security_add_hooks() more
> + * than once. Landlock is one such case.
> + */
> + if (lsm_active_cnt == 0 || lsm_idlist[lsm_active_cnt - 1] != lsmid)
> + lsm_idlist[lsm_active_cnt++] = lsmid;
> +
I find this logic hard to parse. I think this might be better, since
lsm_idlist will be entirely initialized to LSM_UNDEF, yes?
/*
* A security module may call security_add_hooks() more
* than once during initialization, and LSM initialization
* is serialized. Landlock is one such case.
*/
if (lsm_idlist[lsm_active_cnt] != lsmid)
lsm_idlist[lsm_active_cnt++] = lsmid;
--
Kees Cook
More information about the Linux-security-module-archive
mailing list