From patchwork Mon Nov 26 23:37:24 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699403 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DE81D13BB for ; Mon, 26 Nov 2018 23:37:39 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CF45D2A645 for ; Mon, 26 Nov 2018 23:37:39 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C3C1B2A64B; Mon, 26 Nov 2018 23:37:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 623A82A645 for ; Mon, 26 Nov 2018 23:37:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727542AbeK0Kd0 (ORCPT ); Tue, 27 Nov 2018 05:33:26 -0500 Received: from sonic302-28.consmr.mail.ne1.yahoo.com ([66.163.186.154]:36920 "EHLO sonic302-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726516AbeK0KdV (ORCPT ); Tue, 27 Nov 2018 05:33:21 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543275451; bh=aA9ToBwx7EdAqaJKoH0MpMTFJSSXKnw022+5umTtX5A=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=n7tCOI8prznrulx6BRLKMDa5wH3ZqwvaWC2OUwfHgakiema+/ZThr/C7zyGe5cHD+r065fiGYS238XYVqk4vuyhFSsHvQi9LAqYbWOhrmkqavy6mo8eVzurNgFYZUCg23ZxrKLCJaHsFVlJeZMlQHR+UNWRvgak1QYA2ULOcjBAqysiNf5V2ZHoAcFL7+vpfeUVrfgctzr7nt6nyn27VLIApouTT7l6YCMxSNsmEzsPOx+uKNjl/SlhdSra2t6AA7tGzFkm/Ja8i0FRcWqlQthY4gd5qYyG7UZfS4unsr7ZrRgPDbAfi7SdTRkIVNOWvJMSaSUqD5zR78BGaf2gOcA== X-YMail-OSG: SblRcHkVM1kRMyghCdep7JgiTN6vuEae.WZ0G1dfbYVOYLrDEyyleFmSzP9FhDl .DKKzg7Fjt_7da1xuImkxIBsSOZdfZ.fLC9GUJ0OuZGMD483KxS2ZY3sn5JGKJXj_xNEaNLVcuCG 3lcG.XT1B8KrvHEPwCClz7OCC7t7uMj5T_YWqEjNg4CVSDx9MBGrmQeKQ3YCh9qwNA4y3e_exyX0 Jh.QfSlhtvL8qiWN3NHz_xhVkxj7kaYxdj7YWmtVrCHW.yURL3dKu1FhBoJnfQb4nDlzXtOzMSn5 IOMYhTmjSN3ovdDXT998F0VswHpgakmiPX7RkOoqUJlkKefnui4M5.Dw_BvAPZXgyC7ziXesdvM6 OvM0AMW5xqUESbqPi5gD4GSFX1NR4mVbyWxoL7eddyL31XXFnJcARvt3_t0k_J3NTYgN_Ayt_A2n o2KoQE6cyGGK1Xv2jtwF.rcIE8R0zqIE564zgb.ny9y6OncVEaFKuu7YjfpUxW2Xslrty8FRzh2X __3myY6MZ2Lu3Al1_PEIW8a_ea54WH9cuUpI.VQA1dd3meawQZ4kfyGFaaEOkbI.HejfxI.XFFOj Tk2isO6bB1qop36Z9lJGTmO_0PfuXLbq0pQWsiAUqN6TGn7pachPSpI_v5aIzz3mWia4IEOQS0xt pt3YbvIKN6AOeF0_BUOxg561UZq4dqb6jzpmZSQyNM4ZUN9ZC.EbzkV2n7HsINNgyNgbsVWl8mlT 7lF6fWhTWboVzTO_vQvD.oLE0IzNsq1OqaPAaWhvU0LqRLI24AwuStSX4opLykWxS03UqyReH1VO z_R6qt.GCUdogbGMwLuWQQdVJGnEv9Vd5l1eJguhN9ibEeTuYY9J5LKLhtbE4j2608XyfnilNmOf wWRo3B_njm35i..qQp6NPWeitCv46BT_V9lJ2rQHL8NVmZHLWui40bb7qiwkLIHRmeLAC9AoVAcu XhTH7SNiAZRytZvAHtNuRABF8HqdcMwTO4gTymrny8Nts.nXqTfn67gUctW0zmlyk526WavHme8Z 2Z_5xbC0F7.jPWGl97_E6fn72iug2XhaY5lDoNl9iv33wTI__zjE3nq0HdN8vryH0Z0R1JvXFF.W ayk0sfSU28_iiB0ASG3Tpu3saxEaqziblc4No9Q-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:37:31 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp431.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 7e91d840eaa9a6d0b28dfe698df4a23e; Mon, 26 Nov 2018 23:37:27 +0000 (UTC) Subject: [PATCH v5 14/38] LSM: Add all exclusive LSMs to ordered initialization To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: Date: Mon, 26 Nov 2018 15:37:24 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This removes CONFIG_DEFAULT_SECURITY in favor of the explicit ordering offered by CONFIG_LSM and adds all the exclusive LSMs to the ordered LSM initialization. The old meaning of CONFIG_DEFAULT_SECURITY is now captured by which exclusive LSM is listed first in the LSM order. All LSMs not added to the ordered list are explicitly disabled. Signed-off-by: Kees Cook Signed-off-by: Casey Schaufler --- security/security.c | 45 ++++++++++++++++++++------------------------- 1 file changed, 20 insertions(+), 25 deletions(-) diff --git a/security/security.c b/security/security.c index 0009ef6c83fa..df71b54c1ba4 100644 --- a/security/security.c +++ b/security/security.c @@ -169,8 +169,6 @@ static void __init ordered_lsm_parse(const char *order, const char *origin) char *sep, *name, *next; /* Process "security=", if given. */ - if (!chosen_major_lsm) - chosen_major_lsm = CONFIG_DEFAULT_SECURITY; if (chosen_major_lsm) { struct lsm_info *major; @@ -198,8 +196,7 @@ static void __init ordered_lsm_parse(const char *order, const char *origin) bool found = false; for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { - if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0 && - strcmp(lsm->name, name) == 0) { + if (strcmp(lsm->name, name) == 0) { append_ordered_lsm(lsm, origin); found = true; } @@ -208,6 +205,25 @@ static void __init ordered_lsm_parse(const char *order, const char *origin) if (!found) init_debug("%s ignored: %s\n", origin, name); } + + /* Process "security=", if given. */ + if (chosen_major_lsm) { + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + if (exists_ordered_lsm(lsm)) + continue; + if (strcmp(lsm->name, chosen_major_lsm) == 0) + append_ordered_lsm(lsm, "security="); + } + } + + /* Disable all LSMs not in the ordered list. */ + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + if (exists_ordered_lsm(lsm)) + continue; + set_enabled(lsm, false); + init_debug("%s disabled: %s\n", origin, lsm->name); + } + kfree(sep); } @@ -229,22 +245,6 @@ static void __init ordered_lsm_init(void) kfree(ordered_lsms); } -static void __init major_lsm_init(void) -{ - struct lsm_info *lsm; - - for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { - if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) - continue; - - /* Enable this LSM, if it is not already set. */ - if (!lsm->enabled) - lsm->enabled = &lsm_enabled_true; - - maybe_initialize_lsm(lsm); - } -} - /** * security_init - initializes the security framework * @@ -271,11 +271,6 @@ int __init security_init(void) /* Load LSMs in specified order. */ ordered_lsm_init(); - /* - * Load all the remaining security modules. - */ - major_lsm_init(); - return 0; }