Message ID | 20221102171025.126961-1-penguin-kernel@I-love.SAKURA.ne.jp (mailing list archive) |
---|---|
State | Rejected |
Delegated to: | Paul Moore |
Headers | show |
Series | [01/10] security: Export security_hook_heads | expand |
diff --git a/security/security.c b/security/security.c index 79d82cb6e469..fd7b9b1f8348 100644 --- a/security/security.c +++ b/security/security.c @@ -75,6 +75,7 @@ const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { }; struct security_hook_heads security_hook_heads __lsm_ro_after_init; +EXPORT_SYMBOL_GPL(security_hook_heads); static BLOCKING_NOTIFIER_HEAD(blocking_lsm_notifier_chain); static struct kmem_cache *lsm_file_cache;
LSM modules which can be loaded using /sbin/insmod need to be able to access security_hook_heads, for security_add_hooks() is marked as __init function which cannot be accessed from loadable kernel modules. LSM modules which can be loaded using /sbin/insmod are developed in order to make it possible to enable LSM modules without replacing or rebuilding the whole kernel, for distributors disable LSM modules which they cannot afford supporting via kernel config options while users cannot afford enabling LSM modules which they want to use by replacing or rebuilding the whole kernel. Now that I'm demonstrating CaitSith as one of such LSM modules, export the security_hook_heads list. Unlike introducing a LSM manager module which could provide ability to load/unload loadable LSM modules, exporting only security_hook_heads does not affect performance of built-in LSM modules and will little increase the kernel size. Therefore, no kernel config option for this change. Distributors who believe that loadable LSM modules are unacceptable might try to make it harder to use loadable LSM modules via unexporting security_hook_heads. But we cannot hide security_hook_heads perfectly, for binary code analysis allows loadable kernel modules to identify the address of security_hook_heads. It is just a matter of cleanness of code. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> --- security/security.c | 1 + 1 file changed, 1 insertion(+)