[PATCH v4 15/34] lsm: rename/rework ordered_lsm_parse() to lsm_order_parse()
Paul Moore
paul at paul-moore.com
Thu Sep 18 15:38:58 UTC 2025
On Thu, Sep 18, 2025 at 7:30 AM Mimi Zohar <zohar at linux.ibm.com> wrote:
> On Tue, 2025-09-16 at 18:03 -0400, Paul Moore wrote:
> > Rename ordered_lsm_parse() to lsm_order_parse() for the sake of
> > consistency with the other LSM initialization routines, and also
> > do some minor rework of the function. Aside from some minor style
> > decisions, the majority of the rework involved shuffling the order
> > of the LSM_FLAG_LEGACY and LSM_ORDER_FIRST code so that the
> > LSM_FLAG_LEGACY checks are handled first; it is important to note
> > that this doesn't affect the order in which the LSMs are registered.
> >
> > Reviewed-by: Casey Schaufler <casey at schaufler-ca.com>
> > Reviewed-by: John Johansen <john.johhansen at canonical.com>
> > Signed-off-by: Paul Moore <paul at paul-moore.com>
> > ---
> > security/lsm_init.c | 82 ++++++++++++++++++++-------------------------
> > 1 file changed, 37 insertions(+), 45 deletions(-)
> >
> > diff --git a/security/lsm_init.c b/security/lsm_init.c
> > index a314484d7c2f..7b2491120fc8 100644
> > --- a/security/lsm_init.c
> > +++ b/security/lsm_init.c
> > @@ -228,83 +228,75 @@ static void __init initialize_lsm(struct lsm_info *lsm)
> > }
> > }
> >
> > -/* Populate ordered LSMs list from comma-separated LSM name list. */
> > -static void __init ordered_lsm_parse(const char *order, const char *origin)
> > +/**
> > + * lsm_order_parse - Parse the comma delimited LSM list
> > + * @list: LSM list
> > + * @src: source of the list
> > + */
> > +static void __init lsm_order_parse(const char *list, const char *src)
> > {
> > struct lsm_info *lsm;
> > char *sep, *name, *next;
> >
> > - /* LSM_ORDER_FIRST is always first. */
> > - lsm_for_each_raw(lsm) {
> > - if (lsm->order == LSM_ORDER_FIRST)
> > - lsm_order_append(lsm, " first");
> > - }
> > -
> > - /* Process "security=", if given. */
> > + /* Handle any Legacy LSM exclusions if one was specified. */
> > if (lsm_order_legacy) {
> > - struct lsm_info *major;
> > -
> > /*
> > - * To match the original "security=" behavior, this
> > - * explicitly does NOT fallback to another Legacy Major
> > - * if the selected one was separately disabled: disable
> > - * all non-matching Legacy Major LSMs.
> > + * To match the original "security=" behavior, this explicitly
> > + * does NOT fallback to another Legacy Major if the selected
> > + * one was separately disabled: disable all non-matching
> > + * Legacy Major LSMs.
> > */
> > - lsm_for_each_raw(major) {
> > - if ((major->flags & LSM_FLAG_LEGACY_MAJOR) &&
> > - strcmp(major->id->name, lsm_order_legacy) != 0) {
> > - lsm_enabled_set(major, false);
> > + lsm_for_each_raw(lsm) {
> > + if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) &&
> > + strcmp(lsm->id->name, lsm_order_legacy)) {
> > + lsm_enabled_set(lsm, false);
> > init_debug("security=%s disabled: %s (only one legacy major LSM)\n",
> > - lsm_order_legacy, major->id->name);
> > + lsm_order_legacy, lsm->id->name);
> > }
> > }
> > }
> >
> > - sep = kstrdup(order, GFP_KERNEL);
> > + /* LSM_ORDER_FIRST */
> > + lsm_for_each_raw(lsm) {
> > + if (lsm->order == LSM_ORDER_FIRST)
> > + lsm_order_append(lsm, "first");
> > + }
> > +
> > + /* Normal or "mutable" LSMs */
>
> Paul, there's a reason for another set of eyes reviewing patches and yes, even,
> comments.
Mimi, if you've read my emails over the years, or discussed this topic
with me in person or off-list, you'll know that I almost always* hold
my patches to the same standard as any other contributor; even in
cases where I know there is likely to be no review beyond my own.
[*] There have been exceptions in the past due to build breakages and
other "critical" fixes that need to be merged ASAP, but even then the
patches are posted and subject to review and additional
patching/fixing afterwards.
> What are "mutable" LSMs?!
As the "or" would indicate, they are "normal" LSMs where the ordering
is mutable, as opposed to the "first" or "last" LSMs.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list