p71924506
/
linux_old1
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

LSM: Introduce CONFIG_LSM 

This provides a way to declare LSM initialization order via the new
CONFIG_LSM. Currently only non-major LSMs are recognized. This will
be expanded in future patches.

Signed-off-by: Kees Cook <keescook@chromium.org>
This commit is contained in:
Kees Cook 2018-10-09 14:27:46 -07:00
parent 2d4d51198c
commit 13e735c0e9
2 changed files with 31 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
security/Kconfig
View File

@ -276,5 +276,14 @@ config DEFAULT_SECURITY
default "apparmor" if DEFAULT_SECURITY_APPARMOR default "apparmor" if DEFAULT_SECURITY_APPARMOR
default "" if DEFAULT_SECURITY_DAC default "" if DEFAULT_SECURITY_DAC
config LSM
string "Ordered list of enabled LSMs"
default "integrity"
help
A comma-separated list of LSMs, in initialization order.
Any LSMs left off this list will be ignored.
If unsure, leave this as the default.
endmenu endmenu

27
security/security.c
View File

@ -48,6 +48,8 @@ char *lsm_names;
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
CONFIG_DEFAULT_SECURITY; CONFIG_DEFAULT_SECURITY;
static __initconst const char * const builtin_lsm_order = CONFIG_LSM;
/* Ordered list of LSMs to initialize. */ /* Ordered list of LSMs to initialize. */
static __initdata struct lsm_info **ordered_lsms; static __initdata struct lsm_info **ordered_lsms;
@ -155,15 +157,30 @@ static void __init maybe_initialize_lsm(struct lsm_info *lsm)
} }
} }
/* Populate ordered LSMs list from single LSM name. */ /* Populate ordered LSMs list from comma-separated LSM name list. */
static void __init ordered_lsm_parse(const char *order, const char *origin) static void __init ordered_lsm_parse(const char *order, const char *origin)
{ {
struct lsm_info *lsm; struct lsm_info *lsm;
char *sep, *name, *next;
for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { sep = kstrdup(order, GFP_KERNEL);
if (strcmp(lsm->name, order) == 0) next = sep;
append_ordered_lsm(lsm, origin); /* Walk the list, looking for matching LSMs. */
while ((name = strsep(&next, ",")) != NULL) {
bool found = false;
for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0 &&
strcmp(lsm->name, name) == 0) {
append_ordered_lsm(lsm, origin);
found = true;
}
}
if (!found)
init_debug("%s ignored: %s\n", origin, name);
} }
kfree(sep);
} }
static void __init ordered_lsm_init(void) static void __init ordered_lsm_init(void)
@ -173,7 +190,7 @@ static void __init ordered_lsm_init(void)
ordered_lsms = kcalloc(LSM_COUNT + 1, sizeof(*ordered_lsms), ordered_lsms = kcalloc(LSM_COUNT + 1, sizeof(*ordered_lsms),
GFP_KERNEL); GFP_KERNEL);
ordered_lsm_parse("integrity", "builtin"); ordered_lsm_parse(builtin_lsm_order, "builtin");
for (lsm = ordered_lsms; *lsm; lsm++) for (lsm = ordered_lsms; *lsm; lsm++)
maybe_initialize_lsm(*lsm); maybe_initialize_lsm(*lsm);