[RFC PATCH 5/9] Loadpol LSM: add a sysctl to lock the policy
Simon THOBY
git at nightmared.fr
Wed May 21 14:01:09 UTC 2025
Once the policy is properly configurd, users may want to lock that
policy to ensure no future change can be applied to it.
Add a sysctl that can be toggled to lock the policy.
Signed-off-by: Simon THOBY <git at nightmared.fr>
---
security/loadpol/loadpol_fs.c | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/security/loadpol/loadpol_fs.c b/security/loadpol/loadpol_fs.c
index 9134d11718a0..1fec94de9f40 100644
--- a/security/loadpol/loadpol_fs.c
+++ b/security/loadpol/loadpol_fs.c
@@ -1,6 +1,7 @@
// SPDX-License-Identifier: GPL-2.0-only
#include "linux/array_size.h"
+#include <linux/sysctl.h>
#include <linux/security.h>
#include "loadpol.h"
@@ -8,8 +9,22 @@
static struct dentry *securityfs_dir;
static struct dentry *securityfs_policy;
+static bool policy_locked;
static DEFINE_MUTEX(policy_write_mutex);
+static const struct ctl_table sysctls[] = {
+ {
+ .procname = "locked",
+ .data = &policy_locked,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ /* only allow a transition from 0 (not locked) to 1 (locked) */
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = SYSCTL_ONE,
+ .extra2 = SYSCTL_ONE,
+ },
+};
+
static const struct seq_operations loadpol_policy_seqops = {
.start = loadpol_policy_start,
.next = loadpol_policy_next,
@@ -33,6 +48,13 @@ static ssize_t loadpol_write_policy(struct file *file, const char __user *buf,
char *data;
ssize_t ret;
+ /* Once the policy is locked, modifications are blocked */
+ if (policy_locked) {
+ pr_warn("Loadpol is locked, the policy cannot be modified");
+ ret = -EPERM;
+ goto out;
+ }
+
/*
* arbitrary size limit (to prevent a DoS but still allow loading a policy with a few
* thousands of entries)
@@ -81,8 +103,15 @@ static const struct file_operations loadpol_policy_ops = {
static int __init loadpol_init_fs(void)
{
+ struct ctl_table_header *sysctl_hdr = NULL;
int ret;
+ sysctl_hdr = register_sysctl_sz("security/" LOADPOL_NAME, sysctls, ARRAY_SIZE(sysctls));
+ if (IS_ERR(sysctl_hdr)) {
+ ret = PTR_ERR(sysctl_hdr);
+ goto err;
+ }
+
securityfs_dir = securityfs_create_dir(LOADPOL_NAME, NULL);
if (IS_ERR(securityfs_dir)) {
ret = PTR_ERR(securityfs_dir);
@@ -99,6 +128,8 @@ static int __init loadpol_init_fs(void)
return 0;
err:
+ if (!IS_ERR(sysctl_hdr))
+ unregister_sysctl_table(sysctl_hdr);
securityfs_remove(securityfs_policy);
securityfs_remove(securityfs_dir);
return ret;
--
2.49.0
More information about the Linux-security-module-archive
mailing list