Skip to content

Commit 13e735c

Browse files
keeskees
committed
LSM: Introduce CONFIG_LSM
This provides a way to declare LSM initialization order via the new CONFIG_LSM. Currently only non-major LSMs are recognized. This will be expanded in future patches. Signed-off-by: Kees Cook <[email protected]>
1 parent 2d4d511 commit 13e735c

File tree

2 files changed

+31
-5
lines changed

2 files changed

+31
-5
lines changed

security/Kconfig

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -276,5 +276,14 @@ config DEFAULT_SECURITY
276276
default "apparmor" if DEFAULT_SECURITY_APPARMOR
277277
default "" if DEFAULT_SECURITY_DAC
278278

279+
config LSM
280+
string "Ordered list of enabled LSMs"
281+
default "integrity"
282+
help
283+
A comma-separated list of LSMs, in initialization order.
284+
Any LSMs left off this list will be ignored.
285+
286+
If unsure, leave this as the default.
287+
279288
endmenu
280289

security/security.c

Lines changed: 22 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,8 @@ char *lsm_names;
4848
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
4949
CONFIG_DEFAULT_SECURITY;
5050

51+
static __initconst const char * const builtin_lsm_order = CONFIG_LSM;
52+
5153
/* Ordered list of LSMs to initialize. */
5254
static __initdata struct lsm_info **ordered_lsms;
5355

@@ -155,15 +157,30 @@ static void __init maybe_initialize_lsm(struct lsm_info *lsm)
155157
}
156158
}
157159

158-
/* Populate ordered LSMs list from single LSM name. */
160+
/* Populate ordered LSMs list from comma-separated LSM name list. */
159161
static void __init ordered_lsm_parse(const char *order, const char *origin)
160162
{
161163
struct lsm_info *lsm;
164+
char *sep, *name, *next;
165+
166+
sep = kstrdup(order, GFP_KERNEL);
167+
next = sep;
168+
/* Walk the list, looking for matching LSMs. */
169+
while ((name = strsep(&next, ",")) != NULL) {
170+
bool found = false;
171+
172+
for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
173+
if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0 &&
174+
strcmp(lsm->name, name) == 0) {
175+
append_ordered_lsm(lsm, origin);
176+
found = true;
177+
}
178+
}
162179

163-
for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
164-
if (strcmp(lsm->name, order) == 0)
165-
append_ordered_lsm(lsm, origin);
180+
if (!found)
181+
init_debug("%s ignored: %s\n", origin, name);
166182
}
183+
kfree(sep);
167184
}
168185

169186
static void __init ordered_lsm_init(void)
@@ -173,7 +190,7 @@ static void __init ordered_lsm_init(void)
173190
ordered_lsms = kcalloc(LSM_COUNT + 1, sizeof(*ordered_lsms),
174191
GFP_KERNEL);
175192

176-
ordered_lsm_parse("integrity", "builtin");
193+
ordered_lsm_parse(builtin_lsm_order, "builtin");
177194

178195
for (lsm = ordered_lsms; *lsm; lsm++)
179196
maybe_initialize_lsm(*lsm);

0 commit comments

Comments
 (0)