Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 13e735c0 authored by Kees Cook's avatar Kees Cook
Browse files

LSM: Introduce CONFIG_LSM 



This provides a way to declare LSM initialization order via the new
CONFIG_LSM. Currently only non-major LSMs are recognized. This will
be expanded in future patches.

Signed-off-by: default avatarKees Cook <keescook@chromium.org>
parent 2d4d5119

security/Kconfig

+9 −0
Original line number Diff line number Diff line
@@ -276,5 +276,14 @@ config DEFAULT_SECURITY 
	default "apparmor" if DEFAULT_SECURITY_APPARMOR

	default "" if DEFAULT_SECURITY_DAC



config LSM

	string "Ordered list of enabled LSMs"

	default "integrity"

	help

	  A comma-separated list of LSMs, in initialization order.

	  Any LSMs left off this list will be ignored.



	  If unsure, leave this as the default.



endmenu

security/security.c

+22 −5
Original line number Diff line number Diff line
@@ -48,6 +48,8 @@ char *lsm_names; 
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =

	CONFIG_DEFAULT_SECURITY;



static __initconst const char * const builtin_lsm_order = CONFIG_LSM;



/* Ordered list of LSMs to initialize. */

static __initdata struct lsm_info **ordered_lsms;
@@ -155,15 +157,30 @@ static void __init maybe_initialize_lsm(struct lsm_info *lsm) 
	}

}



/* Populate ordered LSMs list from single LSM name. */

/* Populate ordered LSMs list from comma-separated LSM name list. */

static void __init ordered_lsm_parse(const char *order, const char *origin)

{

	struct lsm_info *lsm;

	char *sep, *name, *next;



	sep = kstrdup(order, GFP_KERNEL);

	next = sep;

	/* Walk the list, looking for matching LSMs. */

	while ((name = strsep(&next, ",")) != NULL) {

		bool found = false;



		for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {

		if (strcmp(lsm->name, order) == 0)

			if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0 &&

			    strcmp(lsm->name, name) == 0) {

				append_ordered_lsm(lsm, origin);

				found = true;

			}

		}



		if (!found)

			init_debug("%s ignored: %s\n", origin, name);

	}

	kfree(sep);

}



static void __init ordered_lsm_init(void)
@@ -173,7 +190,7 @@ static void __init ordered_lsm_init(void) 
	ordered_lsms = kcalloc(LSM_COUNT + 1, sizeof(*ordered_lsms),

				GFP_KERNEL);



	ordered_lsm_parse("integrity", "builtin");

	ordered_lsm_parse(builtin_lsm_order, "builtin");



	for (lsm = ordered_lsms; *lsm; lsm++)

		maybe_initialize_lsm(*lsm);