[PATCH 23/28] security: Introduce LSM_ORDER_LAST
Roberto Sassu
roberto.sassu at huaweicloud.com
Fri Mar 3 18:25:57 UTC 2023
From: Roberto Sassu <roberto.sassu at huawei.com>
Introduce LSM_ORDER_LAST, to satisfy the requirement of LSMs willing to be
the last, e.g. the 'integrity' LSM, without changing the kernel command
line or configuration.
As for LSM_ORDER_FIRST, LSMs with LSM_ORDER_LAST are always enabled and put
at the end of the LSM list in no particular order.
Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
---
include/linux/lsm_hooks.h | 1 +
security/security.c | 12 +++++++++---
2 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 21a8ce23108..05c4b831d99 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -93,6 +93,7 @@ extern void security_add_hooks(struct security_hook_list *hooks, int count,
enum lsm_order {
LSM_ORDER_FIRST = -1, /* This is only for capabilities. */
LSM_ORDER_MUTABLE = 0,
+ LSM_ORDER_LAST = 1,
};
struct lsm_info {
diff --git a/security/security.c b/security/security.c
index 322090a50cd..24f52ba3218 100644
--- a/security/security.c
+++ b/security/security.c
@@ -284,9 +284,9 @@ static void __init ordered_lsm_parse(const char *order, const char *origin)
bool found = false;
for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
- if (lsm->order == LSM_ORDER_MUTABLE &&
- strcmp(lsm->name, name) == 0) {
- append_ordered_lsm(lsm, origin);
+ if (strcmp(lsm->name, name) == 0) {
+ if (lsm->order == LSM_ORDER_MUTABLE)
+ append_ordered_lsm(lsm, origin);
found = true;
}
}
@@ -306,6 +306,12 @@ static void __init ordered_lsm_parse(const char *order, const char *origin)
}
}
+ /* LSM_ORDER_LAST is always last. */
+ for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
+ if (lsm->order == LSM_ORDER_LAST)
+ append_ordered_lsm(lsm, " last");
+ }
+
/* Disable all LSMs not in the ordered list. */
for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
if (exists_ordered_lsm(lsm))
--
2.25.1
More information about the Linux-security-module-archive
mailing list