LSM: Add /sys/kernel/security/lsm (d69dece5) · Commits · e / devices / android_kernel_teracube_emerald

Documentation/security/LSM.txt

+7 −0

Original line number	Diff line number	Diff line
		@@ -22,6 +22,13 @@ system, building their checks on top of the defined capability hooks.
		For more details on capabilities, see capabilities(7) in the Linux
		man-pages project.

		A list of the active security modules can be found by reading
		/sys/kernel/security/lsm. This is a comma separated list, and
		will always include the capability module. The list reflects the
		order in which checks are made. The capability module will always
		be first, followed by any "minor" modules (e.g. Yama) and then
		the one "major" module (e.g. SELinux) if there is one configured.

		Based on https://lkml.org/lkml/2007/10/26/215,
		a new LSM is accepted into the kernel when its intent (a description of
		what it tries to protect against and in what cases one would expect to

+4 −8

Original line number	Diff line number	Diff line
		@@ -1875,6 +1875,7 @@ struct security_hook_list {
		struct list_head list;
		struct list_head *head;
		union security_list_options hook;
		char *lsm;
		};

		/*
		@@ -1887,15 +1888,10 @@ struct security_hook_list {
		{ .head = &security_hook_heads.HEAD, .hook = { .HEAD = HOOK } }

		extern struct security_hook_heads security_hook_heads;
		extern char *lsm_names;

		static inline void security_add_hooks(struct security_hook_list *hooks,
		int count)
		{
		int i;

		for (i = 0; i < count; i++)
		list_add_tail_rcu(&hooks[i].list, hooks[i].head);
		}
		extern void security_add_hooks(struct security_hook_list *hooks, int count,
		char *lsm);

		#ifdef CONFIG_SECURITY_SELINUX_DISABLE
		/*

+2 −1

Original line number	Diff line number	Diff line
		@@ -999,7 +999,8 @@ static int __init apparmor_init(void)
		aa_free_root_ns();
		goto buffers_out;
		}
		security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks));
		security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks),
		"apparmor");

		/* Report that AppArmor successfully initialized */
		apparmor_initialized = 1;

+2 −1

Original line number	Diff line number	Diff line
		@@ -1093,7 +1093,8 @@ struct security_hook_list capability_hooks[] = {

		void __init capability_add_hooks(void)
		{
		security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks));
		security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks),
		"capability");
		}

		#endif /* CONFIG_SECURITY */

+24 −2

Original line number	Diff line number	Diff line
		@@ -20,6 +20,7 @@
		#include <linux/init.h>
		#include <linux/namei.h>
		#include <linux/security.h>
		#include <linux/lsm_hooks.h>
		#include <linux/magic.h>

		static struct vfsmount *mount;
		@@ -204,6 +205,21 @@ void securityfs_remove(struct dentry *dentry)
		}
		EXPORT_SYMBOL_GPL(securityfs_remove);

		#ifdef CONFIG_SECURITY
		static struct dentry *lsm_dentry;
		static ssize_t lsm_read(struct file filp, char __user buf, size_t count,
		loff_t *ppos)
		{
		return simple_read_from_buffer(buf, count, ppos, lsm_names,
		strlen(lsm_names));
		}

		static const struct file_operations lsm_ops = {
		.read = lsm_read,
		.llseek = generic_file_llseek,
		};
		#endif

		static int __init securityfs_init(void)
		{
		int retval;
		@@ -213,10 +229,16 @@ static int __init securityfs_init(void)
		return retval;

		retval = register_filesystem(&fs_type);
		if (retval)
		if (retval) {
		sysfs_remove_mount_point(kernel_kobj, "security");
		return retval;
		}
		#ifdef CONFIG_SECURITY
		lsm_dentry = securityfs_create_file("lsm", 0444, NULL, NULL,
		&lsm_ops);
		#endif
		return 0;
		}

		core_initcall(securityfs_init);
		MODULE_LICENSE("GPL");