[RFC PATCH 5/9] Loadpol LSM: add a sysctl to lock the policy

Simon THOBY git at nightmared.fr
Wed May 21 14:01:09 UTC 2025 

Once the policy is properly configurd, users may want to lock that
policy to ensure no future change can be applied to it.

Add a sysctl that can be toggled to lock the policy.

Signed-off-by: Simon THOBY <git at nightmared.fr>
---
 security/loadpol/loadpol_fs.c | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/security/loadpol/loadpol_fs.c b/security/loadpol/loadpol_fs.c
index 9134d11718a0..1fec94de9f40 100644
--- a/security/loadpol/loadpol_fs.c
+++ b/security/loadpol/loadpol_fs.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 
 #include "linux/array_size.h"
+#include <linux/sysctl.h>
 #include <linux/security.h>
 
 #include "loadpol.h"
@@ -8,8 +9,22 @@
 static struct dentry *securityfs_dir;
 static struct dentry *securityfs_policy;
 
+static bool policy_locked;
 static DEFINE_MUTEX(policy_write_mutex);
 
+static const struct ctl_table sysctls[] = {
+	{
+		.procname	= "locked",
+		.data		= &policy_locked,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		/* only allow a transition from 0 (not locked) to 1 (locked) */
+		.proc_handler	= proc_dointvec_minmax,
+		.extra1		= SYSCTL_ONE,
+		.extra2		= SYSCTL_ONE,
+	},
+};
+
 static const struct seq_operations loadpol_policy_seqops = {
 	.start = loadpol_policy_start,
 	.next = loadpol_policy_next,
@@ -33,6 +48,13 @@ static ssize_t loadpol_write_policy(struct file *file, const char __user *buf,
 	char *data;
 	ssize_t ret;
 
+	/* Once the policy is locked, modifications are blocked */
+	if (policy_locked) {
+		pr_warn("Loadpol is locked, the policy cannot be modified");
+		ret = -EPERM;
+		goto out;
+	}
+
 	/*
 	 * arbitrary size limit (to prevent a DoS but still allow loading a policy with a few
 	 * thousands of entries)
@@ -81,8 +103,15 @@ static const struct file_operations loadpol_policy_ops = {
 
 static int __init loadpol_init_fs(void)
 {
+	struct ctl_table_header *sysctl_hdr = NULL;
 	int ret;
 
+	sysctl_hdr = register_sysctl_sz("security/" LOADPOL_NAME, sysctls, ARRAY_SIZE(sysctls));
+	if (IS_ERR(sysctl_hdr)) {
+		ret = PTR_ERR(sysctl_hdr);
+		goto err;
+	}
+
 	securityfs_dir = securityfs_create_dir(LOADPOL_NAME, NULL);
 	if (IS_ERR(securityfs_dir)) {
 		ret = PTR_ERR(securityfs_dir);
@@ -99,6 +128,8 @@ static int __init loadpol_init_fs(void)
 
 	return 0;
 err:
+	if (!IS_ERR(sysctl_hdr))
+		unregister_sysctl_table(sysctl_hdr);
 	securityfs_remove(securityfs_policy);
 	securityfs_remove(securityfs_dir);
 	return ret;
-- 
2.49.0

More information about the Linux-security-module-archive mailing list