[RFC PATCH 29/29] lsm: add support for counting lsm_prop support among LSMs

Paul Moore paul at paul-moore.com
Tue May 13 20:23:28 UTC 2025


On Tue, May 13, 2025 at 12:39 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
> On 4/9/2025 11:50 AM, Paul Moore wrote:
> > Add two new variables, lsm_count_prop_subj and lsm_count_prop_obj, to
> > count the number of lsm_prop entries for subjects and objects across all
> > of the enabled LSMs.  Future patches will use this to continue the
> > conversion towards the lsm_prop struct.
> >
> > Signed-off-by: Paul Moore <paul at paul-moore.com>
> > ---
> >  include/linux/lsm_hooks.h         | 6 ++++++
> >  security/apparmor/lsm.c           | 1 +
> >  security/bpf/hooks.c              | 1 +
> >  security/commoncap.c              | 1 +
> >  security/integrity/evm/evm_main.c | 1 +
> >  security/integrity/ima/ima_main.c | 1 +
> >  security/ipe/ipe.c                | 1 +
> >  security/landlock/setup.c         | 1 +
> >  security/loadpin/loadpin.c        | 1 +
> >  security/lockdown/lockdown.c      | 1 +
> >  security/lsm.h                    | 4 ++++
> >  security/lsm_init.c               | 6 ++++++
> >  security/safesetid/lsm.c          | 1 +
> >  security/security.c               | 3 +++
> >  security/selinux/hooks.c          | 1 +
> >  security/smack/smack_lsm.c        | 1 +
> >  security/tomoyo/tomoyo.c          | 1 +
> >  security/yama/yama_lsm.c          | 1 +
> >  18 files changed, 33 insertions(+)

...

> > diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c
> > index 40efde233f3a..c72df6ff69f7 100644
> > --- a/security/bpf/hooks.c
> > +++ b/security/bpf/hooks.c
> > @@ -18,6 +18,7 @@ static struct security_hook_list bpf_lsm_hooks[] __ro_after_init = {
> >  static const struct lsm_id bpf_lsmid = {
> >       .name = "bpf",
> >       .id = LSM_ID_BPF,
> > +     .flags = LSM_ID_FLG_PROP_SUBJ | LSM_ID_FLG_PROP_OBJ,
>
> There's a problem here. BPF can have properties, but usually does not.
> Unless there's a bpf program loaded that provides them it is incorrect
> to use these flags. You can't know that at initialization.
>
> I have an alternative that will address this that I will propose
> shortly.

Okay, thanks.

-- 
paul-moore.com



More information about the Linux-security-module-archive mailing list