[RFC,28/29] lsm: add a LSM_STARTED_ALL notification event

Message ID	20250409185019.238841-59-paul@paul-moore.com (mailing list archive)
State	New
Headers	show Received: from mail-qv1-f51.google.com (mail-qv1-f51.google.com [209.85.219.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DA6F627CB00 for <linux-integrity@vger.kernel.org>; Wed, 9 Apr 2025 18:53:56 +0000 (UTC) From: Paul Moore <paul@paul-moore.com> To: linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, selinux@vger.kernel.org Cc: John Johansen <john.johansen@canonical.com>, Mimi Zohar <zohar@linux.ibm.com>, Roberto Sassu <roberto.sassu@huawei.com>, Fan Wu <wufan@kernel.org>, =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net>, =?utf-8?q?G=C3=BCnt?= =?utf-8?q?her_Noack?= <gnoack@google.com>, Kees Cook <kees@kernel.org>, Micah Morton <mortonm@chromium.org>, Casey Schaufler <casey@schaufler-ca.com>, Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Subject: [RFC PATCH 28/29] lsm: add a LSM_STARTED_ALL notification event Date: Wed, 9 Apr 2025 14:50:13 -0400 Message-ID: <20250409185019.238841-59-paul@paul-moore.com> In-Reply-To: <20250409185019.238841-31-paul@paul-moore.com> References: <20250409185019.238841-31-paul@paul-moore.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Rework the LSM initialization \| expand [RFC,0/29] Rework the LSM initialization [RFC,01/29] lsm: split the notifier code out into lsm_notifier.c [RFC,02/29] lsm: split the init code out into lsm_init.c [RFC,03/29] lsm: simplify prepare_lsm() and rename to lsm_prep_single() [RFC,04/29] lsm: simplify ordered_lsm_init() and rename to lsm_init_ordered() [RFC,05/29] lsm: replace the name field with a pointer to the lsm_id struct [RFC,06/29] lsm: cleanup and normalize the LSM order symbols naming [RFC,07/29] lsm: rework lsm_active_cnt and lsm_idlist[] [RFC,08/29] lsm: get rid of the lsm_names list and do some cleanup [RFC,09/29] lsm: cleanup and normalize the LSM enabled functions [RFC,10/29] lsm: cleanup the LSM blob size code [RFC,11/29] lsm: cleanup initialize_lsm() and rename to lsm_init_single() [RFC,12/29] lsm: cleanup the LSM ordered parsing [RFC,13/29] lsm: fold lsm_init_ordered() into security_init() [RFC,14/29] lsm: add missing function header comment blocks in lsm_init.c [RFC,15/29] lsm: cleanup the debug and console output in lsm_init.c [RFC,16/29] lsm: output available LSMs when debugging [RFC,17/29] lsm: introduce an initcall mechanism into the LSM framework [RFC,18/29] loadpin: move initcalls to the LSM framework [RFC,19/29] ipe: move initcalls to the LSM framework [RFC,20/29] smack: move initcalls to the LSM framework [RFC,21/29] tomoyo: move initcalls to the LSM framework [RFC,22/29] safesetid: move initcalls to the LSM framework [RFC,23/29] apparmor: move initcalls to the LSM framework [RFC,24/29] lockdown: move initcalls to the LSM framework [RFC,25/29] ima,evm: move initcalls to the LSM framework [RFC,26/29] selinux: move initcalls to the LSM framework [RFC,27/29] lsm: consolidate all of the LSM framework initcalls [RFC,28/29] lsm: add a LSM_STARTED_ALL notification event [RFC,29/29] lsm: add support for counting lsm_prop support among LSMs

Message ID

20250409185019.238841-59-paul@paul-moore.com (mailing list archive)

State

New

Headers

From: Paul Moore <paul@paul-moore.com>
To: linux-security-module@vger.kernel.org,
	linux-integrity@vger.kernel.org,
	selinux@vger.kernel.org
Cc: John Johansen <john.johansen@canonical.com>,
 Mimi Zohar <zohar@linux.ibm.com>, Roberto Sassu <roberto.sassu@huawei.com>,
 Fan Wu <wufan@kernel.org>,
 =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net>, =?utf-8?q?G=C3=BCnt?=
	=?utf-8?q?her_Noack?= <gnoack@google.com>, Kees Cook <kees@kernel.org>,
 Micah Morton <mortonm@chromium.org>,
 Casey Schaufler <casey@schaufler-ca.com>,
 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Subject: [RFC PATCH 28/29] lsm: add a LSM_STARTED_ALL notification event
Date: Wed,  9 Apr 2025 14:50:13 -0400
Message-ID: <20250409185019.238841-59-paul@paul-moore.com>
In-Reply-To: <20250409185019.238841-31-paul@paul-moore.com>
References: <20250409185019.238841-31-paul@paul-moore.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Rework the LSM initialization | expand

Commit Message

Paul Moore April 9, 2025, 6:50 p.m. UTC

Add a new LSM notifier event, LSM_STARTED_ALL, which is fired once at
boot when all of the LSMs have been started.

Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 include/linux/security.h | 1 +
 security/lsm_init.c      | 1 +
 2 files changed, 2 insertions(+)

Comments

Kees Cook April 9, 2025, 11:53 p.m. UTC | #1

On Wed, Apr 09, 2025 at 02:50:13PM -0400, Paul Moore wrote:
> Add a new LSM notifier event, LSM_STARTED_ALL, which is fired once at
> boot when all of the LSMs have been started.

This is where the lsm_names string could be built too...

Reviewed-by: Kees Cook <kees@kernel.org>


> 
> Signed-off-by: Paul Moore <paul@paul-moore.com>
> ---
>  include/linux/security.h | 1 +
>  security/lsm_init.c      | 1 +
>  2 files changed, 2 insertions(+)
> 
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 8aac21787a9f..a0ff4fc69375 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -85,6 +85,7 @@ struct timezone;
>  
>  enum lsm_event {
>  	LSM_POLICY_CHANGE,
> +	LSM_STARTED_ALL,
>  };
>  
>  struct dm_verity_digest {
> diff --git a/security/lsm_init.c b/security/lsm_init.c
> index c0881407ca3f..cad6d243a2a6 100644
> --- a/security/lsm_init.c
> +++ b/security/lsm_init.c
> @@ -553,6 +553,7 @@ static int __init security_initcall_late(void)
>  
>  	rc = lsm_initcall(late);
>  	lsm_pr_dbg("all enabled LSMs fully activated\n");
> +	call_blocking_lsm_notifier(LSM_STARTED_ALL, NULL);
>  
>  	return rc;
>  }
> -- 
> 2.49.0
>

diff --git a/include/linux/security.h b/include/linux/security.h
index 8aac21787a9f..a0ff4fc69375 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -85,6 +85,7 @@  struct timezone;
 
 enum lsm_event {
 	LSM_POLICY_CHANGE,
+	LSM_STARTED_ALL,
 };
 
 struct dm_verity_digest {
diff --git a/security/lsm_init.c b/security/lsm_init.c
index c0881407ca3f..cad6d243a2a6 100644
--- a/security/lsm_init.c
+++ b/security/lsm_init.c
@@ -553,6 +553,7 @@  static int __init security_initcall_late(void)
 
 	rc = lsm_initcall(late);
 	lsm_pr_dbg("all enabled LSMs fully activated\n");
+	call_blocking_lsm_notifier(LSM_STARTED_ALL, NULL);
 
 	return rc;
 }

[RFC,28/29] lsm: add a LSM_STARTED_ALL notification event

Commit Message

Comments

Patch