[PATCH bpf-next 2/4] security: Generate a header with the count of enabled LSMs
KP Singh
kpsingh at kernel.org
Thu Jan 19 23:10:31 UTC 2023
The header defines a MAX_LSM_COUNT constant which is used in a
subsequent patch to generate the static calls for each LSM hook which
are named using preprocessor token pasting. Since token pasting does not
work with arithmetic expressions, generate a simple lsm_count.h header
which represents the subset of LSMs that can be enabled on a given
kernel based on the config.
While one can generate static calls for all the possible LSMs that the
kernel has, this is actually wasteful as most kernels only enable a
handful of LSMs.
Signed-off-by: KP Singh <kpsingh at kernel.org>
---
scripts/Makefile | 1 +
scripts/security/.gitignore | 1 +
scripts/security/Makefile | 4 +++
scripts/security/gen_lsm_count.c | 57 ++++++++++++++++++++++++++++++++
security/Makefile | 11 ++++++
5 files changed, 74 insertions(+)
create mode 100644 scripts/security/.gitignore
create mode 100644 scripts/security/Makefile
create mode 100644 scripts/security/gen_lsm_count.c
diff --git a/scripts/Makefile b/scripts/Makefile
index 1575af84d557..9712249c0fb3 100644
--- a/scripts/Makefile
+++ b/scripts/Makefile
@@ -41,6 +41,7 @@ targets += module.lds
subdir-$(CONFIG_GCC_PLUGINS) += gcc-plugins
subdir-$(CONFIG_MODVERSIONS) += genksyms
subdir-$(CONFIG_SECURITY_SELINUX) += selinux
+subdir-$(CONFIG_SECURITY) += security
# Let clean descend into subdirs
subdir- += basic dtc gdb kconfig mod
diff --git a/scripts/security/.gitignore b/scripts/security/.gitignore
new file mode 100644
index 000000000000..684af16735f1
--- /dev/null
+++ b/scripts/security/.gitignore
@@ -0,0 +1 @@
+gen_lsm_count
diff --git a/scripts/security/Makefile b/scripts/security/Makefile
new file mode 100644
index 000000000000..05f7e4109052
--- /dev/null
+++ b/scripts/security/Makefile
@@ -0,0 +1,4 @@
+# SPDX-License-Identifier: GPL-2.0
+hostprogs-always-y += gen_lsm_count
+HOST_EXTRACFLAGS += \
+ -I$(srctree)/include/uapi -I$(srctree)/include
diff --git a/scripts/security/gen_lsm_count.c b/scripts/security/gen_lsm_count.c
new file mode 100644
index 000000000000..a9a227724d84
--- /dev/null
+++ b/scripts/security/gen_lsm_count.c
@@ -0,0 +1,57 @@
+// SPDX-License-Identifier: GPL-2.0
+
+/* NOTE: we really do want to use the kernel headers here */
+#define __EXPORTED_HEADERS__
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+#include <ctype.h>
+
+#include <linux/kconfig.h>
+
+#define GEN_MAX_LSM_COUNT ( \
+ /* Capabilities */ \
+ IS_ENABLED(CONFIG_SECURITY) + \
+ IS_ENABLED(CONFIG_SECURITY_SELINUX) + \
+ IS_ENABLED(CONFIG_SECURITY_SMACK) + \
+ IS_ENABLED(CONFIG_SECURITY_TOMOYO) + \
+ IS_ENABLED(CONFIG_SECURITY_APPARMOR) + \
+ IS_ENABLED(CONFIG_SECURITY_YAMA) + \
+ IS_ENABLED(CONFIG_SECURITY_LOADPIN) + \
+ IS_ENABLED(CONFIG_SECURITY_SAFESETID) + \
+ IS_ENABLED(CONFIG_SECURITY_LOCKDOWN_LSM) + \
+ IS_ENABLED(CONFIG_BPF_LSM) + \
+ IS_ENABLED(CONFIG_SECURITY_LANDLOCK))
+
+const char *progname;
+
+static void usage(void)
+{
+ printf("usage: %s lsm_count.h\n", progname);
+ exit(1);
+}
+
+int main(int argc, char *argv[])
+{
+ FILE *fout;
+
+ progname = argv[0];
+
+ if (argc < 2)
+ usage();
+
+ fout = fopen(argv[1], "w");
+ if (!fout) {
+ fprintf(stderr, "Could not open %s for writing: %s\n",
+ argv[1], strerror(errno));
+ exit(2);
+ }
+
+ fprintf(fout, "#ifndef _LSM_COUNT_H_\n#define _LSM_COUNT_H_\n\n");
+ fprintf(fout, "\n#define MAX_LSM_COUNT %d\n", GEN_MAX_LSM_COUNT);
+ fprintf(fout, "#endif /* _LSM_COUNT_H_ */\n");
+ exit(0);
+}
diff --git a/security/Makefile b/security/Makefile
index 18121f8f85cd..7a47174831f4 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -3,6 +3,7 @@
# Makefile for the kernel security code
#
+gen := include/generated
obj-$(CONFIG_KEYS) += keys/
# always enable default capabilities
@@ -27,3 +28,13 @@ obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/
# Object integrity file lists
obj-$(CONFIG_INTEGRITY) += integrity/
+
+$(addprefix $(obj)/,$(obj-y)): $(gen)/lsm_count.h
+
+quiet_cmd_lsm_count = GEN ${gen}/lsm_count.h
+ cmd_lsm_count = scripts/security/gen_lsm_count ${gen}/lsm_count.h
+
+targets += lsm_count.h
+
+${gen}/lsm_count.h: FORCE
+ $(call if_changed,lsm_count)
--
2.39.0.246.g2a6d74b583-goog
More information about the Linux-security-module-archive
mailing list