[PATCH v3 1/23] lsm: Only build lsm_audit.c if CONFIG_SECURITY and CONFIG_AUDIT are set

[Paul Moore]

On Nov 22, 2024 =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic at digikod.net> wrote:
> 
> When CONFIG_AUDIT is set, its CONFIG_NET dependency is also set, and the
> dev_get_by_index and init_net symbols (used by dump_common_audit_data)
> are found by the linker.  dump_common_audit_data() should then failed to
> build when CONFIG_NET is not set. However, because the compiler is
> smart, it knows that audit_log_start() always return NULL when
> !CONFIG_AUDIT, and it doesn't build the body of common_lsm_audit().  As
> a side effect, dump_common_audit_data() is not built and the linker
> doesn't error out because of missing symbols.
> 
> Let's only build lsm_audit.o when CONFIG_SECURITY and CONFIG_AUDIT are
> both set, which is checked with the new CONFIG_HAS_SECURITY_AUDIT.
> 
> ipv4_skb_to_auditdata() and ipv6_skb_to_auditdata() are only used by
> Smack if CONFIG_AUDIT is set, so they don't need fake implementations.
> 
> Because common_lsm_audit() is used in multiple places without
> CONFIG_AUDIT checks, add a fake implementation.
> 
> Cc: Casey Schaufler <casey at schaufler-ca.com>
> Cc: James Morris <jmorris at namei.org>
> Cc: Paul Moore <paul at paul-moore.com>
> Cc: Serge E. Hallyn <serge at hallyn.com>
> Signed-off-by: Mickaël Salaün <mic at digikod.net>
> Link: https://lore.kernel.org/r/20241122143353.59367-2-mic@digikod.net
> ---
> Changes since v2:
> - Add CONFIG_HAS_SECURITY_AUDIT to fix the build with AUDIT &&
>   !SECURITY, reported by Guenter Roeck.
> ---
>  include/linux/lsm_audit.h | 14 ++++++++++++++
>  security/Kconfig          |  5 +++++
>  security/Makefile         |  2 +-
>  3 files changed, 20 insertions(+), 1 deletion(-)

This fix should probably stand alone from the rest of the patchset as it
is a worthwhile fix independent of the Landlock feature additions.  I'm
going to go ahead and merge this via the lsm/dev branch now, if anyone
has any objections please let me know.

Thanks!

--
paul-moore.com