[RFC,18/29] loadpin: move initcalls to the LSM framework

Message ID	20250409185019.238841-49-paul@paul-moore.com (mailing list archive)
State	New
Headers	show Received: from mail-qk1-f171.google.com (mail-qk1-f171.google.com [209.85.222.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BB7D327C178 for <linux-integrity@vger.kernel.org>; Wed, 9 Apr 2025 18:53:47 +0000 (UTC) From: Paul Moore <paul@paul-moore.com> To: linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, selinux@vger.kernel.org Cc: John Johansen <john.johansen@canonical.com>, Mimi Zohar <zohar@linux.ibm.com>, Roberto Sassu <roberto.sassu@huawei.com>, Fan Wu <wufan@kernel.org>, =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net>, =?utf-8?q?G=C3=BCnt?= =?utf-8?q?her_Noack?= <gnoack@google.com>, Kees Cook <kees@kernel.org>, Micah Morton <mortonm@chromium.org>, Casey Schaufler <casey@schaufler-ca.com>, Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Subject: [RFC PATCH 18/29] loadpin: move initcalls to the LSM framework Date: Wed, 9 Apr 2025 14:50:03 -0400 Message-ID: <20250409185019.238841-49-paul@paul-moore.com> In-Reply-To: <20250409185019.238841-31-paul@paul-moore.com> References: <20250409185019.238841-31-paul@paul-moore.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Rework the LSM initialization \| expand [RFC,0/29] Rework the LSM initialization [RFC,01/29] lsm: split the notifier code out into lsm_notifier.c [RFC,02/29] lsm: split the init code out into lsm_init.c [RFC,03/29] lsm: simplify prepare_lsm() and rename to lsm_prep_single() [RFC,04/29] lsm: simplify ordered_lsm_init() and rename to lsm_init_ordered() [RFC,05/29] lsm: replace the name field with a pointer to the lsm_id struct [RFC,06/29] lsm: cleanup and normalize the LSM order symbols naming [RFC,07/29] lsm: rework lsm_active_cnt and lsm_idlist[] [RFC,08/29] lsm: get rid of the lsm_names list and do some cleanup [RFC,09/29] lsm: cleanup and normalize the LSM enabled functions [RFC,10/29] lsm: cleanup the LSM blob size code [RFC,11/29] lsm: cleanup initialize_lsm() and rename to lsm_init_single() [RFC,12/29] lsm: cleanup the LSM ordered parsing [RFC,13/29] lsm: fold lsm_init_ordered() into security_init() [RFC,14/29] lsm: add missing function header comment blocks in lsm_init.c [RFC,15/29] lsm: cleanup the debug and console output in lsm_init.c [RFC,16/29] lsm: output available LSMs when debugging [RFC,17/29] lsm: introduce an initcall mechanism into the LSM framework [RFC,18/29] loadpin: move initcalls to the LSM framework [RFC,19/29] ipe: move initcalls to the LSM framework [RFC,20/29] smack: move initcalls to the LSM framework [RFC,21/29] tomoyo: move initcalls to the LSM framework [RFC,22/29] safesetid: move initcalls to the LSM framework [RFC,23/29] apparmor: move initcalls to the LSM framework [RFC,24/29] lockdown: move initcalls to the LSM framework [RFC,25/29] ima,evm: move initcalls to the LSM framework [RFC,26/29] selinux: move initcalls to the LSM framework [RFC,27/29] lsm: consolidate all of the LSM framework initcalls [RFC,28/29] lsm: add a LSM_STARTED_ALL notification event [RFC,29/29] lsm: add support for counting lsm_prop support among LSMs

Message ID

20250409185019.238841-49-paul@paul-moore.com (mailing list archive)

State

New

Headers

From: Paul Moore <paul@paul-moore.com>
To: linux-security-module@vger.kernel.org,
	linux-integrity@vger.kernel.org,
	selinux@vger.kernel.org
Cc: John Johansen <john.johansen@canonical.com>,
 Mimi Zohar <zohar@linux.ibm.com>, Roberto Sassu <roberto.sassu@huawei.com>,
 Fan Wu <wufan@kernel.org>,
 =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net>, =?utf-8?q?G=C3=BCnt?=
	=?utf-8?q?her_Noack?= <gnoack@google.com>, Kees Cook <kees@kernel.org>,
 Micah Morton <mortonm@chromium.org>,
 Casey Schaufler <casey@schaufler-ca.com>,
 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Subject: [RFC PATCH 18/29] loadpin: move initcalls to the LSM framework
Date: Wed,  9 Apr 2025 14:50:03 -0400
Message-ID: <20250409185019.238841-49-paul@paul-moore.com>
In-Reply-To: <20250409185019.238841-31-paul@paul-moore.com>
References: <20250409185019.238841-31-paul@paul-moore.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Rework the LSM initialization | expand

Comments

Kees Cook April 9, 2025, 11:39 p.m. UTC | #1

On Wed, Apr 09, 2025 at 02:50:03PM -0400, Paul Moore wrote:
> Signed-off-by: Paul Moore <paul@paul-moore.com>

Reviewed-by: Kees Cook <kees@kernel.org>

Paul Moore April 11, 2025, 1:15 a.m. UTC | #2

On Wed, Apr 9, 2025 at 7:39 PM Kees Cook <kees@kernel.org> wrote:
> On Wed, Apr 09, 2025 at 02:50:03PM -0400, Paul Moore wrote:
> > Signed-off-by: Paul Moore <paul@paul-moore.com>
>
> Reviewed-by: Kees Cook <kees@kernel.org>

Do you mind if I convert this into an Acked-by?  Generally speaking I
put more weight behind a Reviewed-by tag, but in the case of Loadpin
you are the maintainer and I'd much prefer an Acked-by.  While I'm
always happy to get more reviews on a patch, the primary reason for
CC'ing you directly was to get ACKs on the LSMs you maintain :)

Kees Cook April 11, 2025, 2:16 a.m. UTC | #3

On Thu, Apr 10, 2025 at 09:15:47PM -0400, Paul Moore wrote:
> On Wed, Apr 9, 2025 at 7:39 PM Kees Cook <kees@kernel.org> wrote:
> > On Wed, Apr 09, 2025 at 02:50:03PM -0400, Paul Moore wrote:
> > > Signed-off-by: Paul Moore <paul@paul-moore.com>
> >
> > Reviewed-by: Kees Cook <kees@kernel.org>
>
> Do you mind if I convert this into an Acked-by?  Generally speaking I
> put more weight behind a Reviewed-by tag, but in the case of Loadpin
> you are the maintainer and I'd much prefer an Acked-by.  While I'm
> always happy to get more reviews on a patch, the primary reason for
> CC'ing you directly was to get ACKs on the LSMs you maintain :)

Acked-by: Kees Cook <kees@kernel.org>

:)

Paul Moore April 11, 2025, 2:41 a.m. UTC | #4

On Thu, Apr 10, 2025 at 10:16 PM Kees Cook <kees@kernel.org> wrote:
>
> On Thu, Apr 10, 2025 at 09:15:47PM -0400, Paul Moore wrote:
> > On Wed, Apr 9, 2025 at 7:39 PM Kees Cook <kees@kernel.org> wrote:
> > > On Wed, Apr 09, 2025 at 02:50:03PM -0400, Paul Moore wrote:
> > > > Signed-off-by: Paul Moore <paul@paul-moore.com>
> > >
> > > Reviewed-by: Kees Cook <kees@kernel.org>
> >
> > Do you mind if I convert this into an Acked-by?  Generally speaking I
> > put more weight behind a Reviewed-by tag, but in the case of Loadpin
> > you are the maintainer and I'd much prefer an Acked-by.  While I'm
> > always happy to get more reviews on a patch, the primary reason for
> > CC'ing you directly was to get ACKs on the LSMs you maintain :)
>
> Acked-by: Kees Cook <kees@kernel.org>
>
> :)

Thanks :)

diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c
index b9ddf05c5c16..273ffbd6defe 100644
--- a/security/loadpin/loadpin.c
+++ b/security/loadpin/loadpin.c
@@ -270,11 +270,6 @@  static int __init loadpin_init(void)
 	return 0;
 }
 
-DEFINE_LSM(loadpin) = {
-	.id = &loadpin_lsmid,
-	.init = loadpin_init,
-};
-
 #ifdef CONFIG_SECURITY_LOADPIN_VERITY
 
 enum loadpin_securityfs_interface_index {
@@ -434,10 +429,16 @@  static int __init init_loadpin_securityfs(void)
 	return 0;
 }
 
-fs_initcall(init_loadpin_securityfs);
-
 #endif /* CONFIG_SECURITY_LOADPIN_VERITY */
 
+DEFINE_LSM(loadpin) = {
+	.id = &loadpin_lsmid,
+	.init = loadpin_init,
+#ifdef CONFIG_SECURITY_LOADPIN_VERITY
+	.initcall_fs = init_loadpin_securityfs,
+#endif /* CONFIG_SECURITY_LOADPIN_VERITY */
+};
+
 /* Should not be mutable after boot, so not listed in sysfs (perm == 0). */
 module_param(enforce, int, 0);
 MODULE_PARM_DESC(enforce, "Enforce module/firmware pinning");

[RFC,18/29] loadpin: move initcalls to the LSM framework

Commit Message

Comments

Patch