diff mbox series

[RFC,29/29] lsm: add support for counting lsm_prop support among LSMs

Message ID 20250409185019.238841-60-paul@paul-moore.com (mailing list archive)
State New
Headers show
Series Rework the LSM initialization | expand

Commit Message

Paul Moore April 9, 2025, 6:50 p.m. UTC 
Add two new variables, lsm_count_prop_subj and lsm_count_prop_obj, to
count the number of lsm_prop entries for subjects and objects across all
of the enabled LSMs.  Future patches will use this to continue the
conversion towards the lsm_prop struct.

Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 include/linux/lsm_hooks.h         | 6 ++++++
 security/apparmor/lsm.c           | 1 +
 security/bpf/hooks.c              | 1 +
 security/commoncap.c              | 1 +
 security/integrity/evm/evm_main.c | 1 +
 security/integrity/ima/ima_main.c | 1 +
 security/ipe/ipe.c                | 1 +
 security/landlock/setup.c         | 1 +
 security/loadpin/loadpin.c        | 1 +
 security/lockdown/lockdown.c      | 1 +
 security/lsm.h                    | 4 ++++
 security/lsm_init.c               | 6 ++++++
 security/safesetid/lsm.c          | 1 +
 security/security.c               | 3 +++
 security/selinux/hooks.c          | 1 +
 security/smack/smack_lsm.c        | 1 +
 security/tomoyo/tomoyo.c          | 1 +
 security/yama/yama_lsm.c          | 1 +
 18 files changed, 33 insertions(+)
diff mbox series

Patch

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 0d2c2a017ffc..5bc144c5f685 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -71,16 +71,22 @@  struct lsm_static_calls_table {
 	#undef LSM_HOOK
 } __packed __randomize_layout;
 
+#define LSM_ID_FLG_NONE			0x00000000
+#define LSM_ID_FLG_PROP_SUBJ		0x00000001
+#define LSM_ID_FLG_PROP_OBJ		0x00000002
+
 /**
  * struct lsm_id - Identify a Linux Security Module.
  * @lsm: name of the LSM, must be approved by the LSM maintainers
  * @id: LSM ID number from uapi/linux/lsm.h
+ * @flags: LSM flags, see LSM_ID_FLG_XXX
  *
  * Contains the information that identifies the LSM.
  */
 struct lsm_id {
 	const char *name;
 	u64 id;
+	u32 flags;
 };
 
 /*
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 2fefaab6349f..db8592bed189 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1428,6 +1428,7 @@  struct lsm_blob_sizes apparmor_blob_sizes __ro_after_init = {
 static const struct lsm_id apparmor_lsmid = {
 	.name = "apparmor",
 	.id = LSM_ID_APPARMOR,
+	.flags = LSM_ID_FLG_PROP_SUBJ,
 };
 
 static struct security_hook_list apparmor_hooks[] __ro_after_init = {
diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c
index 40efde233f3a..c72df6ff69f7 100644
--- a/security/bpf/hooks.c
+++ b/security/bpf/hooks.c
@@ -18,6 +18,7 @@  static struct security_hook_list bpf_lsm_hooks[] __ro_after_init = {
 static const struct lsm_id bpf_lsmid = {
 	.name = "bpf",
 	.id = LSM_ID_BPF,
+	.flags = LSM_ID_FLG_PROP_SUBJ | LSM_ID_FLG_PROP_OBJ,
 };
 
 static int __init bpf_lsm_init(void)
diff --git a/security/commoncap.c b/security/commoncap.c
index e04aa4f50eaf..fab692104c87 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -1479,6 +1479,7 @@  int cap_mmap_addr(unsigned long addr)
 static const struct lsm_id capability_lsmid = {
 	.name = "capability",
 	.id = LSM_ID_CAPABILITY,
+	.flags = LSM_ID_FLG_NONE,
 };
 
 static struct security_hook_list capability_hooks[] __ro_after_init = {
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 770d0411da2b..b3a3324f48b1 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -1162,6 +1162,7 @@  static struct security_hook_list evm_hooks[] __ro_after_init = {
 static const struct lsm_id evm_lsmid = {
 	.name = "evm",
 	.id = LSM_ID_EVM,
+	.flags = LSM_ID_FLG_NONE,
 };
 
 static int __init init_evm_lsm(void)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 1687badafb48..d98e7815175b 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -1237,6 +1237,7 @@  static struct security_hook_list ima_hooks[] __ro_after_init = {
 static const struct lsm_id ima_lsmid = {
 	.name = "ima",
 	.id = LSM_ID_IMA,
+	.flags = LSM_ID_FLG_NONE,
 };
 
 static int __init init_ima_lsm(void)
diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
index 71644748ed56..7d9cdbc3d23a 100644
--- a/security/ipe/ipe.c
+++ b/security/ipe/ipe.c
@@ -24,6 +24,7 @@  static struct lsm_blob_sizes ipe_blobs __ro_after_init = {
 static const struct lsm_id ipe_lsmid = {
 	.name = "ipe",
 	.id = LSM_ID_IPE,
+	.flags = LSM_ID_FLG_NONE,
 };
 
 struct ipe_superblock *ipe_sb(const struct super_block *sb)
diff --git a/security/landlock/setup.c b/security/landlock/setup.c
index 47dac1736f10..5c8d5693c4c7 100644
--- a/security/landlock/setup.c
+++ b/security/landlock/setup.c
@@ -25,6 +25,7 @@  bool landlock_initialized __ro_after_init = false;
 const struct lsm_id landlock_lsmid = {
 	.name = LANDLOCK_NAME,
 	.id = LSM_ID_LANDLOCK,
+	.flags = LSM_ID_FLG_NONE,
 };
 
 struct lsm_blob_sizes landlock_blob_sizes __ro_after_init = {
diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c
index 273ffbd6defe..05a842c36fd8 100644
--- a/security/loadpin/loadpin.c
+++ b/security/loadpin/loadpin.c
@@ -211,6 +211,7 @@  static int loadpin_load_data(enum kernel_load_data_id id, bool contents)
 static const struct lsm_id loadpin_lsmid = {
 	.name = "loadpin",
 	.id = LSM_ID_LOADPIN,
+	.flags = LSM_ID_FLG_NONE,
 };
 
 static struct security_hook_list loadpin_hooks[] __ro_after_init = {
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 8d46886d2cca..a2396b67bfe4 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -79,6 +79,7 @@  static struct security_hook_list lockdown_hooks[] __ro_after_init = {
 static const struct lsm_id lockdown_lsmid = {
 	.name = "lockdown",
 	.id = LSM_ID_LOCKDOWN,
+	.flags = LSM_ID_FLG_NONE,
 };
 
 static int __init lockdown_lsm_init(void)
diff --git a/security/lsm.h b/security/lsm.h
index c432dc0c5e30..d1d54540da98 100644
--- a/security/lsm.h
+++ b/security/lsm.h
@@ -24,6 +24,10 @@  extern bool lsm_debug;
 extern unsigned int lsm_count;
 extern const struct lsm_id *lsm_idlist[];
 
+/* LSM property configuration */
+extern unsigned int lsm_count_prop_subj;
+extern unsigned int lsm_count_prop_obj;
+
 /* LSM blob configuration */
 extern struct lsm_blob_sizes blob_sizes;
 
diff --git a/security/lsm_init.c b/security/lsm_init.c
index cad6d243a2a6..c2ef4db055db 100644
--- a/security/lsm_init.c
+++ b/security/lsm_init.c
@@ -6,6 +6,7 @@ 
 #define pr_fmt(fmt) "LSM: " fmt
 
 #include <linux/init.h>
+#include <linux/lsm_count.h>
 #include <linux/lsm_hooks.h>
 
 #include "lsm.h"
@@ -189,6 +190,11 @@  static void __init lsm_order_append(struct lsm_info *lsm, const char *src)
 	lsm_order[lsm_count] = lsm;
 	lsm_idlist[lsm_count++] = lsm->id;
 
+	if (lsm->id->flags & LSM_ID_FLG_PROP_SUBJ)
+		lsm_count_prop_subj++;
+	if (lsm->id->flags & LSM_ID_FLG_PROP_OBJ)
+		lsm_count_prop_obj++;
+
 	lsm_pr_dbg("enabling LSM %s:%s\n", src, lsm->id->name);
 }
 
diff --git a/security/safesetid/lsm.c b/security/safesetid/lsm.c
index d5fb949050dd..ac25674376fe 100644
--- a/security/safesetid/lsm.c
+++ b/security/safesetid/lsm.c
@@ -265,6 +265,7 @@  static int safesetid_task_fix_setgroups(struct cred *new, const struct cred *old
 static const struct lsm_id safesetid_lsmid = {
 	.name = "safesetid",
 	.id = LSM_ID_SAFESETID,
+	.flags = LSM_ID_FLG_NONE,
 };
 
 static struct security_hook_list safesetid_security_hooks[] = {
diff --git a/security/security.c b/security/security.c
index cbd544d71093..2b9dde02f4de 100644
--- a/security/security.c
+++ b/security/security.c
@@ -78,6 +78,9 @@  bool lsm_debug __ro_after_init;
 unsigned int lsm_count __ro_after_init;
 const struct lsm_id *lsm_idlist[MAX_LSM_COUNT];
 
+unsigned int lsm_count_prop_subj __ro_after_init;
+unsigned int lsm_count_prop_obj __ro_after_init;
+
 struct lsm_blob_sizes blob_sizes;
 
 struct kmem_cache *lsm_file_cache;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 95b2399b1f4d..1dc4b3987af4 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -7200,6 +7200,7 @@  static int selinux_uring_allowed(void)
 static const struct lsm_id selinux_lsmid = {
 	.name = "selinux",
 	.id = LSM_ID_SELINUX,
+	.flags = LSM_ID_FLG_PROP_SUBJ | LSM_ID_FLG_PROP_OBJ,
 };
 
 /*
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 80b129a0c92c..d04667a42f91 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -5042,6 +5042,7 @@  struct lsm_blob_sizes smack_blob_sizes __ro_after_init = {
 static const struct lsm_id smack_lsmid = {
 	.name = "smack",
 	.id = LSM_ID_SMACK,
+	.flags = LSM_ID_FLG_PROP_SUBJ | LSM_ID_FLG_PROP_OBJ,
 };
 
 static struct security_hook_list smack_hooks[] __ro_after_init = {
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index a015cf0c4a00..0a030cbdf424 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -547,6 +547,7 @@  static void tomoyo_task_free(struct task_struct *task)
 static const struct lsm_id tomoyo_lsmid = {
 	.name = "tomoyo",
 	.id = LSM_ID_TOMOYO,
+	.flags = LSM_ID_FLG_NONE,
 };
 
 /* tomoyo_hooks is used for registering TOMOYO. */
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index 38b21ee0c560..e4a6cf663177 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -419,6 +419,7 @@  static int yama_ptrace_traceme(struct task_struct *parent)
 static const struct lsm_id yama_lsmid = {
 	.name = "yama",
 	.id = LSM_ID_YAMA,
+	.flags = LSM_ID_FLG_NONE,
 };
 
 static struct security_hook_list yama_hooks[] __ro_after_init = {