From patchwork Mon Nov 26 23:32:40 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699373 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 790A11803 for ; Mon, 26 Nov 2018 23:32:49 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6A7702A63F for ; Mon, 26 Nov 2018 23:32:49 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5EBF12A644; Mon, 26 Nov 2018 23:32:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 08C8D2A63F for ; Mon, 26 Nov 2018 23:32:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726888AbeK0K2f (ORCPT ); Tue, 27 Nov 2018 05:28:35 -0500 Received: from sonic315-27.consmr.mail.ne1.yahoo.com ([66.163.190.153]:45594 "EHLO sonic315-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727244AbeK0K2f (ORCPT ); Tue, 27 Nov 2018 05:28:35 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543275166; bh=f/TY9l73GMshFbCbwrpBRqM3LiA17i42/3X1M8hx5cI=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=SVWDfHQlnCDX1GeaY9n/EcjgYFZMikp7Lnlz19S3wyDzFl007uknMXbWv6dleYJqh3PkJXYcFceybLQH3ksAOOJS/4x5tvudx04hYzALFQFfy4xJRu2zXTKtMINPlO+RhjVlbrP/7HrlqWtpwUQ3It1cpeyBmOicLnEal+6K1HYa0lfOjHPJfeZOKLrrY8kQZklap8ivj5vJgFdEGB4vrNh+g3jgX49FUOPkSsb5kOGTb6hI6DmOzp4AgU+Y1tZokL2rlkCmW5QVhqk100USukWTCwBnxSONJPuOJQLVAz5oHrD242YMl9X/WfS11WY5bU172IxgoJRt5HBLCSx2Aw== X-YMail-OSG: wesRcy8VM1kpWAP8HLRBHe1xbr39ZevlcgKFQqQvwqoii5CH2HOSzXJeyBC.yOo fP1xr6DYp2yqJDEBTxxqzvoUSAbXgETvysQ1BT2z9RcUpqF.1O3xz2Ty39xvCcXCuheaM5ccweJX K8kBmDExRTEeM_T2pFcBAPC9.rL03utEcPCDm69m6L_KrtLDj0SYphLpjhu692TiRdqm4D3vivPQ juWTRrxALxfLAW8.gw7TaiBXHiVBz.18xa5irf0v9taNEsihf.NU9eg_38jTbuE_BgBx4sWGMxOy 5yxFSpv6MVoRHgocDhiV5P0doyocHAR91aZ2Sd.2izcpmtVZSESVgrwA3QB8lJYE1hSHeja3HbSG gehC6PyfXYsObyw_epvPZJf7EsErgOpPw7oCJl.pxSVOcOSilMQ6j8T9rsmhVocB6X2Ru2TyeMKq cUwzcCsZBqsQ9yK0GJZnOjg31vSFxNd17EklFSELydP6AiHC7JijHKOkWScXM1OWg50SFZxa.TkK UfZl.ytjlfNLBeB2uEX_tPq00pZBNp6YDXHI_w0RJy.T5tWzqycpebXtph1h_1YMDGS0GNN3dB8u 60SZVEzC_wrTW8Sva.zeSaP7cvfaJJ28Vd3ar4X15uKRZxq82qfivOGthvHfZsVKIAEiURi5LtUU Ii9Mbda7eAlElQI9baO.dpw.XaF0lng0Lw2IlsVelaqK1HC0htNAMVrZqk3gidvOTtGRPY0BKODm WcMy6mOnMrpV9hrHP0wFsPtS2bYdgT5Kc_pjY9Z4rq4vwMcWZPhOPUoig5FeiRtkVROiHHFsLTQp PGdwbTA9jNvGPLngAjeMgKsJsgcos2qRiD7hVY4Aeb2OdznWE59resHtLk3b8XUnicdrr1wC42qc F8jFmzTkGUT6WqfFpUo1Hfc2zivEKMGsoQMtcmi62HnjvuCesbQ30FSBWMyxxzckQm2ickZStRo4 wrRXOwouMUCG1xT9z9KbE_O.6GhmNKwDUXQema1Rs4KcUndLLv.vQJzbonh3zcVJ6HmzwnCgxdSj oOK0ZcAJboA8imYcRqR88AbUy0TzP8uwi1jsVFkx9W7mmEYlZsjA6SKbPIsbxxF5gQmApw6ZRN4C rLnj10d6z_gk391PL.oFCcNzntVOY8bprp3PfiuMe Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:32:46 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp407.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 111f5b9d597319e49534bdc80c98b414; Mon, 26 Nov 2018 23:32:42 +0000 (UTC) Subject: [PATCH v5 08/38] LSM: Tie enabling logic to presence in ordered list To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <602079a2-b7f8-4c8d-8fd7-fc6e90095335@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:32:40 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Until now, any LSM without an enable storage variable was considered enabled. This inverts the logic and sets defaults to true only if the LSM gets added to the ordered initialization list. (And an exception continues for the major LSMs until they are integrated into the ordered initialization in a later patch.) Signed-off-by: Kees Cook --- include/linux/lsm_hooks.h | 2 +- security/security.c | 14 +++++++++++--- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index dabd2761acfc..272791fdd26e 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2044,7 +2044,7 @@ extern void security_add_hooks(struct security_hook_list *hooks, int count, struct lsm_info { const char *name; /* Required. */ unsigned long flags; /* Optional: flags describing LSM */ - int *enabled; /* Optional: NULL means enabled. */ + int *enabled; /* Optional: controlled by CONFIG_LSM */ int (*init)(void); /* Required. */ }; diff --git a/security/security.c b/security/security.c index 38fc436e8b4b..ea760d625af6 100644 --- a/security/security.c +++ b/security/security.c @@ -63,10 +63,10 @@ static __initdata bool debug; static bool __init is_enabled(struct lsm_info *lsm) { - if (!lsm->enabled || *lsm->enabled) - return true; + if (!lsm->enabled) + return false; - return false; + return *lsm->enabled; } /* Mark an LSM's enabled flag. */ @@ -117,7 +117,11 @@ static void __init append_ordered_lsm(struct lsm_info *lsm, const char *from) if (WARN(last_lsm == LSM_COUNT, "%s: out of LSM slots!?\n", from)) return; + /* Enable this LSM, if it is not already set. */ + if (!lsm->enabled) + lsm->enabled = &lsm_enabled_true; ordered_lsms[last_lsm++] = lsm; + init_debug("%s ordering: %s (%sabled)\n", from, lsm->name, is_enabled(lsm) ? "en" : "dis"); } @@ -210,6 +214,10 @@ static void __init major_lsm_init(void) if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) continue; + /* Enable this LSM, if it is not already set. */ + if (!lsm->enabled) + lsm->enabled = &lsm_enabled_true; + maybe_initialize_lsm(lsm); } }