[RFC,07/29] lsm: rework lsm_active_cnt and lsm_idlist[]

Message ID	20250409185019.238841-38-paul@paul-moore.com (mailing list archive)
State	New
Headers	show Received: from mail-qk1-f177.google.com (mail-qk1-f177.google.com [209.85.222.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7507327935D for <linux-integrity@vger.kernel.org>; Wed, 9 Apr 2025 18:53:37 +0000 (UTC) From: Paul Moore <paul@paul-moore.com> To: linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, selinux@vger.kernel.org Cc: John Johansen <john.johansen@canonical.com>, Mimi Zohar <zohar@linux.ibm.com>, Roberto Sassu <roberto.sassu@huawei.com>, Fan Wu <wufan@kernel.org>, =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net>, =?utf-8?q?G=C3=BCnt?= =?utf-8?q?her_Noack?= <gnoack@google.com>, Kees Cook <kees@kernel.org>, Micah Morton <mortonm@chromium.org>, Casey Schaufler <casey@schaufler-ca.com>, Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Subject: [RFC PATCH 07/29] lsm: rework lsm_active_cnt and lsm_idlist[] Date: Wed, 9 Apr 2025 14:49:52 -0400 Message-ID: <20250409185019.238841-38-paul@paul-moore.com> In-Reply-To: <20250409185019.238841-31-paul@paul-moore.com> References: <20250409185019.238841-31-paul@paul-moore.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Rework the LSM initialization \| expand [RFC,0/29] Rework the LSM initialization [RFC,01/29] lsm: split the notifier code out into lsm_notifier.c [RFC,02/29] lsm: split the init code out into lsm_init.c [RFC,03/29] lsm: simplify prepare_lsm() and rename to lsm_prep_single() [RFC,04/29] lsm: simplify ordered_lsm_init() and rename to lsm_init_ordered() [RFC,05/29] lsm: replace the name field with a pointer to the lsm_id struct [RFC,06/29] lsm: cleanup and normalize the LSM order symbols naming [RFC,07/29] lsm: rework lsm_active_cnt and lsm_idlist[] [RFC,08/29] lsm: get rid of the lsm_names list and do some cleanup [RFC,09/29] lsm: cleanup and normalize the LSM enabled functions [RFC,10/29] lsm: cleanup the LSM blob size code [RFC,11/29] lsm: cleanup initialize_lsm() and rename to lsm_init_single() [RFC,12/29] lsm: cleanup the LSM ordered parsing [RFC,13/29] lsm: fold lsm_init_ordered() into security_init() [RFC,14/29] lsm: add missing function header comment blocks in lsm_init.c [RFC,15/29] lsm: cleanup the debug and console output in lsm_init.c [RFC,16/29] lsm: output available LSMs when debugging [RFC,17/29] lsm: introduce an initcall mechanism into the LSM framework [RFC,18/29] loadpin: move initcalls to the LSM framework [RFC,19/29] ipe: move initcalls to the LSM framework [RFC,20/29] smack: move initcalls to the LSM framework [RFC,21/29] tomoyo: move initcalls to the LSM framework [RFC,22/29] safesetid: move initcalls to the LSM framework [RFC,23/29] apparmor: move initcalls to the LSM framework [RFC,24/29] lockdown: move initcalls to the LSM framework [RFC,25/29] ima,evm: move initcalls to the LSM framework [RFC,26/29] selinux: move initcalls to the LSM framework [RFC,27/29] lsm: consolidate all of the LSM framework initcalls [RFC,28/29] lsm: add a LSM_STARTED_ALL notification event [RFC,29/29] lsm: add support for counting lsm_prop support among LSMs

Paul Moore April 9, 2025, 6:49 p.m. UTC

Move the LSM count and lsm_id list declarations out of a header that is
visible across the kernel and into a header that is limited to the LSM
framework.  This not only helps keep the include/linux headers smaller
and cleaner, it helps prevent misuse of these variables.

During the move, lsm_active_cnt was renamed to lsm_count for the sake
of brevity.

Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 include/linux/security.h | 2 --
 security/lsm.h           | 5 +++++
 security/lsm_init.c      | 8 +-------
 security/lsm_syscalls.c  | 8 +++++---
 security/security.c      | 3 +++
 5 files changed, 14 insertions(+), 12 deletions(-)

Casey Schaufler April 9, 2025, 9:38 p.m. UTC | #1

On 4/9/2025 11:49 AM, Paul Moore wrote:
> Move the LSM count and lsm_id list declarations out of a header that is
> visible across the kernel and into a header that is limited to the LSM
> framework.  This not only helps keep the include/linux headers smaller
> and cleaner, it helps prevent misuse of these variables.
>
> During the move, lsm_active_cnt was renamed to lsm_count for the sake
> of brevity.

lsm_count could be mistaken to be the number of LSMs compiled in
as opposed to the number that are active. Hence lsm_active_cnt.

>
> Signed-off-by: Paul Moore <paul@paul-moore.com>
> ---
>  include/linux/security.h | 2 --
>  security/lsm.h           | 5 +++++
>  security/lsm_init.c      | 8 +-------
>  security/lsm_syscalls.c  | 8 +++++---
>  security/security.c      | 3 +++
>  5 files changed, 14 insertions(+), 12 deletions(-)
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index cc9b54d95d22..8aac21787a9f 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -167,8 +167,6 @@ struct lsm_prop {
>  };
>  
>  extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1];
> -extern u32 lsm_active_cnt;
> -extern const struct lsm_id *lsm_idlist[];
>  
>  /* These functions are in security/commoncap.c */
>  extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
> diff --git a/security/lsm.h b/security/lsm.h
> index 0e1731bad4a7..af343072199d 100644
> --- a/security/lsm.h
> +++ b/security/lsm.h
> @@ -7,6 +7,11 @@
>  #define _LSM_H_
>  
>  #include <linux/lsm_hooks.h>
> +#include <linux/lsm_count.h>
> +
> +/* List of configured LSMs */
> +extern unsigned int lsm_count;
> +extern const struct lsm_id *lsm_idlist[];
>  
>  /* LSM blob configuration */
>  extern struct lsm_blob_sizes blob_sizes;
> diff --git a/security/lsm_init.c b/security/lsm_init.c
> index edf2f4140eaa..981ddb20f48e 100644
> --- a/security/lsm_init.c
> +++ b/security/lsm_init.c
> @@ -22,8 +22,8 @@ static __initdata const char *lsm_order_cmdline;
>  static __initdata const char *lsm_order_legacy;
>  
>  /* Ordered list of LSMs to initialize. */
> -static __initdata struct lsm_info *lsm_order[MAX_LSM_COUNT + 1];
>  static __initdata struct lsm_info *lsm_exclusive;
> +static __initdata struct lsm_info *lsm_order[MAX_LSM_COUNT + 1];
>  
>  static __initdata bool debug;
>  #define init_debug(...)							\
> @@ -211,12 +211,6 @@ static void __init initialize_lsm(struct lsm_info *lsm)
>  	}
>  }
>  
> -/*
> - * Current index to use while initializing the lsm id list.
> - */
> -u32 lsm_active_cnt __ro_after_init;
> -const struct lsm_id *lsm_idlist[MAX_LSM_COUNT];
> -
>  /* Populate ordered LSMs list from comma-separated LSM name list. */
>  static void __init ordered_lsm_parse(const char *order, const char *origin)
>  {
> diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c
> index 8440948a690c..3fb0d77ae65c 100644
> --- a/security/lsm_syscalls.c
> +++ b/security/lsm_syscalls.c
> @@ -17,6 +17,8 @@
>  #include <linux/lsm_hooks.h>
>  #include <uapi/linux/lsm.h>
>  
> +#include "lsm.h"
> +
>  /**
>   * lsm_name_to_attr - map an LSM attribute name to its ID
>   * @name: name of the attribute
> @@ -96,7 +98,7 @@ SYSCALL_DEFINE4(lsm_get_self_attr, unsigned int, attr, struct lsm_ctx __user *,
>  SYSCALL_DEFINE3(lsm_list_modules, u64 __user *, ids, u32 __user *, size,
>  		u32, flags)
>  {
> -	u32 total_size = lsm_active_cnt * sizeof(*ids);
> +	u32 total_size = lsm_count * sizeof(*ids);
>  	u32 usize;
>  	int i;
>  
> @@ -112,9 +114,9 @@ SYSCALL_DEFINE3(lsm_list_modules, u64 __user *, ids, u32 __user *, size,
>  	if (usize < total_size)
>  		return -E2BIG;
>  
> -	for (i = 0; i < lsm_active_cnt; i++)
> +	for (i = 0; i < lsm_count; i++)
>  		if (put_user(lsm_idlist[i]->id, ids++))
>  			return -EFAULT;
>  
> -	return lsm_active_cnt;
> +	return lsm_count;
>  }
> diff --git a/security/security.c b/security/security.c
> index 8d370a4c5e74..a3e8dd640b39 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -73,6 +73,9 @@ const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX + 1] = {
>  	[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
>  };
>  
> +unsigned int lsm_count __ro_after_init;
> +const struct lsm_id *lsm_idlist[MAX_LSM_COUNT];
> +
>  struct lsm_blob_sizes blob_sizes;
>  
>  struct kmem_cache *lsm_file_cache;

Kees Cook April 9, 2025, 11:06 p.m. UTC | #2

On Wed, Apr 09, 2025 at 02:49:52PM -0400, Paul Moore wrote:
> Move the LSM count and lsm_id list declarations out of a header that is
> visible across the kernel and into a header that is limited to the LSM
> framework.  This not only helps keep the include/linux headers smaller
> and cleaner, it helps prevent misuse of these variables.

Yay for private headers!

> During the move, lsm_active_cnt was renamed to lsm_count for the sake
> of brevity.

I would echo Casey's comment. Other places deal with a count based on
the compile-in count of "all" LSMs. This one is for the active list.
If you really want two words, perhaps "lsms_active"?


> 
> Signed-off-by: Paul Moore <paul@paul-moore.com>
> ---
>  include/linux/security.h | 2 --
>  security/lsm.h           | 5 +++++
>  security/lsm_init.c      | 8 +-------
>  security/lsm_syscalls.c  | 8 +++++---
>  security/security.c      | 3 +++
>  5 files changed, 14 insertions(+), 12 deletions(-)
> 
> diff --git a/include/linux/security.h b/include/linux/security.h
> index cc9b54d95d22..8aac21787a9f 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -167,8 +167,6 @@ struct lsm_prop {
>  };
>  
>  extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1];
> -extern u32 lsm_active_cnt;
> -extern const struct lsm_id *lsm_idlist[];
>  
>  /* These functions are in security/commoncap.c */
>  extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
> diff --git a/security/lsm.h b/security/lsm.h
> index 0e1731bad4a7..af343072199d 100644
> --- a/security/lsm.h
> +++ b/security/lsm.h
> @@ -7,6 +7,11 @@
>  #define _LSM_H_
>  
>  #include <linux/lsm_hooks.h>
> +#include <linux/lsm_count.h>
> +
> +/* List of configured LSMs */
> +extern unsigned int lsm_count;
> +extern const struct lsm_id *lsm_idlist[];
>  
>  /* LSM blob configuration */
>  extern struct lsm_blob_sizes blob_sizes;
> diff --git a/security/lsm_init.c b/security/lsm_init.c
> index edf2f4140eaa..981ddb20f48e 100644
> --- a/security/lsm_init.c
> +++ b/security/lsm_init.c
> @@ -22,8 +22,8 @@ static __initdata const char *lsm_order_cmdline;
>  static __initdata const char *lsm_order_legacy;
>  
>  /* Ordered list of LSMs to initialize. */
> -static __initdata struct lsm_info *lsm_order[MAX_LSM_COUNT + 1];
>  static __initdata struct lsm_info *lsm_exclusive;
> +static __initdata struct lsm_info *lsm_order[MAX_LSM_COUNT + 1];

I don't care either way, but why re-order these? Just local reverse
xmas-tree?

Paul Moore April 10, 2025, 9:58 p.m. UTC | #3

On Wed, Apr 9, 2025 at 5:38 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> On 4/9/2025 11:49 AM, Paul Moore wrote:
> > Move the LSM count and lsm_id list declarations out of a header that is
> > visible across the kernel and into a header that is limited to the LSM
> > framework.  This not only helps keep the include/linux headers smaller
> > and cleaner, it helps prevent misuse of these variables.
> >
> > During the move, lsm_active_cnt was renamed to lsm_count for the sake
> > of brevity.
>
> lsm_count could be mistaken to be the number of LSMs compiled in
> as opposed to the number that are active. Hence lsm_active_cnt.

Fair enough, I'll preserve the name.

Paul Moore April 10, 2025, 10:04 p.m. UTC | #4

On Wed, Apr 9, 2025 at 7:06 PM Kees Cook <kees@kernel.org> wrote:
> On Wed, Apr 09, 2025 at 02:49:52PM -0400, Paul Moore wrote:

...

> > diff --git a/security/lsm_init.c b/security/lsm_init.c
> > index edf2f4140eaa..981ddb20f48e 100644
> > --- a/security/lsm_init.c
> > +++ b/security/lsm_init.c
> > @@ -22,8 +22,8 @@ static __initdata const char *lsm_order_cmdline;
> >  static __initdata const char *lsm_order_legacy;
> >
> >  /* Ordered list of LSMs to initialize. */
> > -static __initdata struct lsm_info *lsm_order[MAX_LSM_COUNT + 1];
> >  static __initdata struct lsm_info *lsm_exclusive;
> > +static __initdata struct lsm_info *lsm_order[MAX_LSM_COUNT + 1];
>
> I don't care either way, but why re-order these? Just local reverse
> xmas-tree?

Sure?

Honestly can't say for certain, at this point in the development
process I had somewhat resigned myself to having a mess of a patchset
so I figured this was an opportunity to make it look "nice" (er?) in
my mind, and I suppose at that point that looked better to me ... ?

Kees Cook April 10, 2025, 10:25 p.m. UTC | #5

On Thu, Apr 10, 2025 at 06:04:38PM -0400, Paul Moore wrote:
> On Wed, Apr 9, 2025 at 7:06 PM Kees Cook <kees@kernel.org> wrote:
> > On Wed, Apr 09, 2025 at 02:49:52PM -0400, Paul Moore wrote:
> 
> ...
> 
> > > diff --git a/security/lsm_init.c b/security/lsm_init.c
> > > index edf2f4140eaa..981ddb20f48e 100644
> > > --- a/security/lsm_init.c
> > > +++ b/security/lsm_init.c
> > > @@ -22,8 +22,8 @@ static __initdata const char *lsm_order_cmdline;
> > >  static __initdata const char *lsm_order_legacy;
> > >
> > >  /* Ordered list of LSMs to initialize. */
> > > -static __initdata struct lsm_info *lsm_order[MAX_LSM_COUNT + 1];
> > >  static __initdata struct lsm_info *lsm_exclusive;
> > > +static __initdata struct lsm_info *lsm_order[MAX_LSM_COUNT + 1];
> >
> > I don't care either way, but why re-order these? Just local reverse
> > xmas-tree?
> 
> Sure?
> 
> Honestly can't say for certain, at this point in the development
> process I had somewhat resigned myself to having a mess of a patchset
> so I figured this was an opportunity to make it look "nice" (er?) in
> my mind, and I suppose at that point that looked better to me ... ?

Understood. I think I ordered the original way because I was hopefully
we'd remove "exclusive" soon, and it felt better to remove it from the
end of a list of variables. *shrug* yay code vibes

Casey Schaufler April 11, 2025, 12:58 a.m. UTC | #6

On 4/10/2025 3:25 PM, Kees Cook wrote:
> On Thu, Apr 10, 2025 at 06:04:38PM -0400, Paul Moore wrote:
>> On Wed, Apr 9, 2025 at 7:06 PM Kees Cook <kees@kernel.org> wrote:
>>> On Wed, Apr 09, 2025 at 02:49:52PM -0400, Paul Moore wrote:
>> ...
>>
>>>> diff --git a/security/lsm_init.c b/security/lsm_init.c
>>>> index edf2f4140eaa..981ddb20f48e 100644
>>>> --- a/security/lsm_init.c
>>>> +++ b/security/lsm_init.c
>>>> @@ -22,8 +22,8 @@ static __initdata const char *lsm_order_cmdline;
>>>>  static __initdata const char *lsm_order_legacy;
>>>>
>>>>  /* Ordered list of LSMs to initialize. */
>>>> -static __initdata struct lsm_info *lsm_order[MAX_LSM_COUNT + 1];
>>>>  static __initdata struct lsm_info *lsm_exclusive;
>>>> +static __initdata struct lsm_info *lsm_order[MAX_LSM_COUNT + 1];
>>> I don't care either way, but why re-order these? Just local reverse
>>> xmas-tree?
>> Sure?
>>
>> Honestly can't say for certain, at this point in the development
>> process I had somewhat resigned myself to having a mess of a patchset
>> so I figured this was an opportunity to make it look "nice" (er?) in
>> my mind, and I suppose at that point that looked better to me ... ?
> Understood. I think I ordered the original way because I was hopefully
> we'd remove "exclusive" soon,

In the pipeline. Small values of "soon".

>  and it felt better to remove it from the
> end of a list of variables. *shrug* yay code vibes
>

[RFC,07/29] lsm: rework lsm_active_cnt and lsm_idlist[]

Commit Message

Comments

Patch