diff mbox series

[RFC,2/2] LSM: A sample of dynamically appendable LSM module.

Message ID 9fccf6d7-4b1b-dd4e-5479-3c6d21d08d5a@I-love.SAKURA.ne.jp (mailing list archive)
State RFC
Headers show
Series [RFC,1/2] LSM: Allow dynamically appendable LSM modules. | expand

Checks

Context Check Description
netdev/tree_selection success Not a local patch

Commit Message

Tetsuo Handa Sept. 27, 2023, 3:09 p.m. UTC
This is an example of dynamically appendable LSM modules.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 demo/Makefile |  1 +
 demo/demo.c   | 38 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 demo/Makefile
 create mode 100644 demo/demo.c

Comments

Song Liu Sept. 27, 2023, 4:05 p.m. UTC | #1
On Wed, Sep 27, 2023 at 8:09 AM Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
>
> This is an example of dynamically appendable LSM modules.

Maybe add this to samples/lsm/ or samples/security/?

And we need to assign maintainer(s) for it. Maybe add the files to
"SECURITY SUBSYSTEM" in MAINTAINERS

Thanks,
Song

>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> ---
>  demo/Makefile |  1 +
>  demo/demo.c   | 38 ++++++++++++++++++++++++++++++++++++++
>  2 files changed, 39 insertions(+)
>  create mode 100644 demo/Makefile
>  create mode 100644 demo/demo.c
>
> diff --git a/demo/Makefile b/demo/Makefile
> new file mode 100644
> index 000000000000..8a6ab0945858
> --- /dev/null
> +++ b/demo/Makefile
> @@ -0,0 +1 @@
> +obj-m += demo.o
> diff --git a/demo/demo.c b/demo/demo.c
> new file mode 100644
> index 000000000000..90b03d10bd72
> --- /dev/null
> +++ b/demo/demo.c
> @@ -0,0 +1,38 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +#include <linux/module.h>
> +#include <linux/lsm_hooks.h>
> +
> +static int demo_task_alloc_security(struct task_struct *p,
> +                                   unsigned long clone_flags)
> +{
> +       static unsigned int count;
> +
> +       if (count++ < 5)
> +               dump_stack();
> +       return 0;
> +}
> +
> +static void demo_task_free_security(struct task_struct *p)
> +{
> +       static unsigned int count;
> +
> +       if (count++ < 5)
> +               dump_stack();
> +}
> +
> +static struct security_hook_list demo_hooks[] __ro_after_init = {
> +       LSM_HOOK_INIT(task_free, demo_task_free_security),
> +       LSM_HOOK_INIT(task_alloc, demo_task_alloc_security),
> +};
> +
> +static int __init demo_init(void)
> +{
> +       const int ret = register_loadable_lsm(demo_hooks,
> +                                             ARRAY_SIZE(demo_hooks), "demo");
> +
> +       pr_info("Registering demo LSM module returned %d.\n", ret);
> +       return ret;
> +}
> +
> +module_init(demo_init);
> +MODULE_LICENSE("GPL");
> --
> 2.18.4
>
>
diff mbox series

Patch

diff --git a/demo/Makefile b/demo/Makefile
new file mode 100644
index 000000000000..8a6ab0945858
--- /dev/null
+++ b/demo/Makefile
@@ -0,0 +1 @@ 
+obj-m += demo.o
diff --git a/demo/demo.c b/demo/demo.c
new file mode 100644
index 000000000000..90b03d10bd72
--- /dev/null
+++ b/demo/demo.c
@@ -0,0 +1,38 @@ 
+// SPDX-License-Identifier: GPL-2.0-or-later
+#include <linux/module.h>
+#include <linux/lsm_hooks.h>
+
+static int demo_task_alloc_security(struct task_struct *p,
+				    unsigned long clone_flags)
+{
+	static unsigned int count;
+
+	if (count++ < 5)
+		dump_stack();
+	return 0;
+}
+
+static void demo_task_free_security(struct task_struct *p)
+{
+	static unsigned int count;
+
+	if (count++ < 5)
+		dump_stack();
+}
+
+static struct security_hook_list demo_hooks[] __ro_after_init = {
+	LSM_HOOK_INIT(task_free, demo_task_free_security),
+	LSM_HOOK_INIT(task_alloc, demo_task_alloc_security),
+};
+
+static int __init demo_init(void)
+{
+	const int ret = register_loadable_lsm(demo_hooks,
+					      ARRAY_SIZE(demo_hooks), "demo");
+
+	pr_info("Registering demo LSM module returned %d.\n", ret);
+	return ret;
+}
+
+module_init(demo_init);
+MODULE_LICENSE("GPL");