[RFC PATCH] lsm: make SECURITY_PATH always enabled
Tetsuo Handa
penguin-kernel at I-love.SAKURA.ne.jp
Sun Aug 25 12:49:52 UTC 2024
Only TOMOYO needed CONFIG_SECURITY_PATH when it was introduced. But now,
AppArmor, EVM, IMA and LandLock also need it. And kernels are likely built
with at least one of these enabled if CONFIG_SECURITY is enabled. Let's
simplify the dependency.
Signed-off-by: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
---
arch/mips/configs/loongson2k_defconfig | 1 -
arch/mips/configs/loongson3_defconfig | 1 -
include/linux/lsm_hook_defs.h | 2 -
include/linux/security.h | 70 --------------------------
kernel/bpf/bpf_lsm.c | 2 -
kernel/trace/bpf_trace.c | 2 -
security/Kconfig | 9 ----
security/apparmor/Kconfig | 1 -
security/integrity/evm/Kconfig | 1 -
security/integrity/ima/Kconfig | 1 -
security/landlock/Kconfig | 1 -
security/security.c | 2 -
security/tomoyo/Kconfig | 1 -
13 files changed, 94 deletions(-)
diff --git a/arch/mips/configs/loongson2k_defconfig b/arch/mips/configs/loongson2k_defconfig
index 4b7f914d01d0f..fb149d2f3ef5d 100644
--- a/arch/mips/configs/loongson2k_defconfig
+++ b/arch/mips/configs/loongson2k_defconfig
@@ -325,7 +325,6 @@ CONFIG_NLS_UTF8=y
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
-CONFIG_SECURITY_PATH=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_DISABLE=y
diff --git a/arch/mips/configs/loongson3_defconfig b/arch/mips/configs/loongson3_defconfig
index 78f4987520664..072b655f05601 100644
--- a/arch/mips/configs/loongson3_defconfig
+++ b/arch/mips/configs/loongson3_defconfig
@@ -388,7 +388,6 @@ CONFIG_NLS_UTF8=y
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
-CONFIG_SECURITY_PATH=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_DISABLE=y
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 9eca013aa5e1f..dc1ee162994af 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -87,7 +87,6 @@ LSM_HOOK(int, -EOPNOTSUPP, dentry_init_security, struct dentry *dentry,
LSM_HOOK(int, 0, dentry_create_files_as, struct dentry *dentry, int mode,
struct qstr *name, const struct cred *old, struct cred *new)
-#ifdef CONFIG_SECURITY_PATH
LSM_HOOK(int, 0, path_unlink, const struct path *dir, struct dentry *dentry)
LSM_HOOK(int, 0, path_mkdir, const struct path *dir, struct dentry *dentry,
umode_t mode)
@@ -107,7 +106,6 @@ LSM_HOOK(int, 0, path_rename, const struct path *old_dir,
LSM_HOOK(int, 0, path_chmod, const struct path *path, umode_t mode)
LSM_HOOK(int, 0, path_chown, const struct path *path, kuid_t uid, kgid_t gid)
LSM_HOOK(int, 0, path_chroot, const struct path *path)
-#endif /* CONFIG_SECURITY_PATH */
/* Needed for inode based security check */
LSM_HOOK(int, 0, path_notify, const struct path *path, u64 mask,
diff --git a/include/linux/security.h b/include/linux/security.h
index b86ec2afc6910..50504cfd6d427 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1953,7 +1953,6 @@ static inline void security_skb_classify_flow(struct sk_buff *skb,
#endif /* CONFIG_SECURITY_NETWORK_XFRM */
-#ifdef CONFIG_SECURITY_PATH
int security_path_unlink(const struct path *dir, struct dentry *dentry);
int security_path_mkdir(const struct path *dir, struct dentry *dentry, umode_t mode);
int security_path_rmdir(const struct path *dir, struct dentry *dentry);
@@ -1971,75 +1970,6 @@ int security_path_rename(const struct path *old_dir, struct dentry *old_dentry,
int security_path_chmod(const struct path *path, umode_t mode);
int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid);
int security_path_chroot(const struct path *path);
-#else /* CONFIG_SECURITY_PATH */
-static inline int security_path_unlink(const struct path *dir, struct dentry *dentry)
-{
- return 0;
-}
-
-static inline int security_path_mkdir(const struct path *dir, struct dentry *dentry,
- umode_t mode)
-{
- return 0;
-}
-
-static inline int security_path_rmdir(const struct path *dir, struct dentry *dentry)
-{
- return 0;
-}
-
-static inline int security_path_mknod(const struct path *dir, struct dentry *dentry,
- umode_t mode, unsigned int dev)
-{
- return 0;
-}
-
-static inline void security_path_post_mknod(struct mnt_idmap *idmap,
- struct dentry *dentry)
-{ }
-
-static inline int security_path_truncate(const struct path *path)
-{
- return 0;
-}
-
-static inline int security_path_symlink(const struct path *dir, struct dentry *dentry,
- const char *old_name)
-{
- return 0;
-}
-
-static inline int security_path_link(struct dentry *old_dentry,
- const struct path *new_dir,
- struct dentry *new_dentry)
-{
- return 0;
-}
-
-static inline int security_path_rename(const struct path *old_dir,
- struct dentry *old_dentry,
- const struct path *new_dir,
- struct dentry *new_dentry,
- unsigned int flags)
-{
- return 0;
-}
-
-static inline int security_path_chmod(const struct path *path, umode_t mode)
-{
- return 0;
-}
-
-static inline int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
-{
- return 0;
-}
-
-static inline int security_path_chroot(const struct path *path)
-{
- return 0;
-}
-#endif /* CONFIG_SECURITY_PATH */
#ifdef CONFIG_KEYS
#ifdef CONFIG_SECURITY
diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
index 6292ac5f9bd13..70ad2c9ccadd9 100644
--- a/kernel/bpf/bpf_lsm.c
+++ b/kernel/bpf/bpf_lsm.c
@@ -327,7 +327,6 @@ BTF_ID(func, bpf_lsm_kernel_module_request)
BTF_ID(func, bpf_lsm_kernel_read_file)
BTF_ID(func, bpf_lsm_kernfs_init_security)
-#ifdef CONFIG_SECURITY_PATH
BTF_ID(func, bpf_lsm_path_unlink)
BTF_ID(func, bpf_lsm_path_mkdir)
BTF_ID(func, bpf_lsm_path_rmdir)
@@ -337,7 +336,6 @@ BTF_ID(func, bpf_lsm_path_link)
BTF_ID(func, bpf_lsm_path_rename)
BTF_ID(func, bpf_lsm_path_chmod)
BTF_ID(func, bpf_lsm_path_chown)
-#endif /* CONFIG_SECURITY_PATH */
#ifdef CONFIG_KEYS
BTF_ID(func, bpf_lsm_key_free)
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 1807c2966a89e..47dcb02acf35e 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -916,9 +916,7 @@ BTF_ID(func, security_file_permission)
BTF_ID(func, security_inode_getattr)
BTF_ID(func, security_file_open)
#endif
-#ifdef CONFIG_SECURITY_PATH
BTF_ID(func, security_path_truncate)
-#endif
BTF_ID(func, vfs_truncate)
BTF_ID(func, vfs_fallocate)
BTF_ID(func, dentry_open)
diff --git a/security/Kconfig b/security/Kconfig
index 28e685f53bd1a..541c76d239a3c 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -103,15 +103,6 @@ config SECURITY_NETWORK_XFRM
IPSec.
If you are unsure how to answer this question, answer N.
-config SECURITY_PATH
- bool "Security hooks for pathname based access control"
- depends on SECURITY
- help
- This enables the security hooks for pathname based access control.
- If enabled, a security module can use these hooks to
- implement pathname based access controls.
- If you are unsure how to answer this question, answer N.
-
config INTEL_TXT
bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
depends on HAVE_INTEL_TXT
diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
index 64cc3044a42ce..f7c196ffbf935 100644
--- a/security/apparmor/Kconfig
+++ b/security/apparmor/Kconfig
@@ -3,7 +3,6 @@ config SECURITY_APPARMOR
bool "AppArmor support"
depends on SECURITY && NET
select AUDIT
- select SECURITY_PATH
select SECURITYFS
select SECURITY_NETWORK
default n
diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
index 861b3bacab821..fba9ee359bc9f 100644
--- a/security/integrity/evm/Kconfig
+++ b/security/integrity/evm/Kconfig
@@ -6,7 +6,6 @@ config EVM
select CRYPTO_HMAC
select CRYPTO_SHA1
select CRYPTO_HASH_INFO
- select SECURITY_PATH
default n
help
EVM protects a file's security extended attributes against
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 475c326150067..b98bfe9efd0c8 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -8,7 +8,6 @@ config IMA
select CRYPTO_HMAC
select CRYPTO_SHA1
select CRYPTO_HASH_INFO
- select SECURITY_PATH
select TCG_TPM if HAS_IOMEM
select TCG_TIS if TCG_TPM && X86
select TCG_CRB if TCG_TPM && ACPI
diff --git a/security/landlock/Kconfig b/security/landlock/Kconfig
index 3f1493402052e..b7bb224718675 100644
--- a/security/landlock/Kconfig
+++ b/security/landlock/Kconfig
@@ -4,7 +4,6 @@ config SECURITY_LANDLOCK
bool "Landlock support"
depends on SECURITY
select SECURITY_NETWORK
- select SECURITY_PATH
help
Landlock is a sandboxing mechanism that enables processes to restrict
themselves (and their future children) by gradually enforcing
diff --git a/security/security.c b/security/security.c
index c30e8348c9e12..04a86dd06f0ac 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1901,7 +1901,6 @@ int security_inode_init_security_anon(struct inode *inode,
context_inode);
}
-#ifdef CONFIG_SECURITY_PATH
/**
* security_path_mknod() - Check if creating a special file is allowed
* @dir: parent directory
@@ -2115,7 +2114,6 @@ int security_path_chroot(const struct path *path)
{
return call_int_hook(path_chroot, path);
}
-#endif /* CONFIG_SECURITY_PATH */
/**
* security_inode_create() - Check if creating a file is allowed
diff --git a/security/tomoyo/Kconfig b/security/tomoyo/Kconfig
index 1e0dd1a6d0b0e..ab8a5aaa301b0 100644
--- a/security/tomoyo/Kconfig
+++ b/security/tomoyo/Kconfig
@@ -4,7 +4,6 @@ config SECURITY_TOMOYO
depends on SECURITY
depends on NET
select SECURITYFS
- select SECURITY_PATH
select SECURITY_NETWORK
default n
help
--
2.43.5
More information about the Linux-security-module-archive
mailing list