[PATCH v12 02/11] LSM: Maintain a table of LSM attribute data
Paul Moore
paul at paul-moore.com
Fri Jul 21 21:40:23 UTC 2023
On Fri, Jul 14, 2023 at 3:42 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
> On 7/11/2023 8:35 AM, Mickaël Salaün wrote:
> > On 29/06/2023 21:55, Casey Schaufler wrote:
> >> As LSMs are registered add their lsm_id pointers to a table.
> >> This will be used later for attribute reporting.
> >>
> >> Determine the number of possible security modules based on
> >> their respective CONFIG options. This allows the number to be
> >> known at build time. This allows data structures and tables
> >> to use the constant.
> >>
> >> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> >> Reviewed-by: Kees Cook <keescook at chromium.org>
> >> Reviewed-by: Serge Hallyn <serge at hallyn.com>
> >> ---
> >> include/linux/security.h | 2 ++
> >> security/security.c | 37 +++++++++++++++++++++++++++++++++++++
> >> 2 files changed, 39 insertions(+)
...
> >> diff --git a/security/security.c b/security/security.c
> >> index e56714ef045a..5a699e47478b 100644
> >> --- a/security/security.c
> >> +++ b/security/security.c
> >> @@ -521,6 +546,18 @@ void __init security_add_hooks(struct
> >> security_hook_list *hooks, int count,
> >> {
> >> int i;
> >> + /*
> >> + * A security module may call security_add_hooks() more
> >> + * than once during initialization, and LSM initialization
> >> + * is serialized. Landlock is one such case.
> >> + * Look at the previous entry, if there is one, for duplication.
> >> + */
> >> + if (lsm_active_cnt == 0 || lsm_idlist[lsm_active_cnt - 1] !=
> >> lsmid) {
> >
> > Isn't it possible to have interleaved security_add_hooks() calls?
>
> The initialization is serial and interleaving isn't possible.
>
> >> + if (lsm_active_cnt >= LSM_CONFIG_COUNT)
> >> + panic("%s Too many LSMs registered.\n", __func__);
> >
> > I'm not sure we should panic, but from a security point of view it is
> > critical enough…
>
> It's possible this should be a BUG() instance, but the panic() more
> closely resembles what's nearby in the code.
I think the panic() call is okay. If something is so horribly broken
that we hit this case we have little option but to panic the system as
booting with the LSM controls busted in such a way is very not good.
There are probably those that would object to the above statement, but
those people aren't likely to be building a kernel with any LSMs in
the first place.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list