From patchwork Mon Nov 26 23:38:20 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10699405 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D5A3413BF for ; Mon, 26 Nov 2018 23:38:30 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C4CF02A626 for ; Mon, 26 Nov 2018 23:38:30 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B90EC2A64B; Mon, 26 Nov 2018 23:38:30 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 53BD62A626 for ; Mon, 26 Nov 2018 23:38:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726516AbeK0KeR (ORCPT ); Tue, 27 Nov 2018 05:34:17 -0500 Received: from sonic315-27.consmr.mail.ne1.yahoo.com ([66.163.190.153]:34968 "EHLO sonic315-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727656AbeK0KeR (ORCPT ); Tue, 27 Nov 2018 05:34:17 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543275507; bh=jV11Dho+W8jm+OTKCjoUEiJ1PzwrfCLcMmvEuAbflbk=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=Q4nK2J9KPexbdiAxFNCpJbLhYux6mtOzZBYhpYerRgCIT4T9lcs3efTtp+3xx2F4Y/ZLc1kWXFmP4f6hnfo52WVlGsHnUMEZmj1mlOiTJPkDKX2YH41ubKpc+IhcBS7fwDL63ooeBF8DsHMp1FpuBlXvnRhNcZYYfodgYKRopucujHdlEtnEznv8Z0vL4b7TpsohwVnpqR8QYtoOQ9c68j9HL4uljrJN8ogwJv/Q9MJmJRyotYTKidw/RrKpce3TjI8STRXdS6oyp692uf9Rp3TP4tlPVgldKX4YH8hynQRy/fXeebTz5dv/mFfEL3kK8HyeVI6c94fiDSUR3mWj2g== X-YMail-OSG: jFRivIQVM1ngjnr4QdwflB1dsQegw.b6uPut84.dlAyrgrpmW3JCDFqY0hokOM_ SsDeaCCt6MFl0GZY01K3stMOV_P9Gr8H9RDAH1KrD0oEG_P64zkL9LN7iH4TabnlkwDHeeCX.W6d T7C2UF37eEtbVRJ886M6xwPoTn2Vyfv_.PbhHcsABcj5vK.5.nItivY4jxK1m9jsALlUl7IH3emj XOGj.eS125E2xeYODtiD11zIAg3rp.dz4osmXzmEk6bKNq0SYGY0zEjbkFPtFmLAWhsGK5_BuA17 71UEjaYEp7P512UPuFoyO._zqGvaEkVcBZqrQCOMdrG2cU.rpbsW5f18IXSK79ilRhsuZ8o8OwAQ b6ozR8A0akszzvHTdt_vFGxrazEetKwGISkckxkR.BcMuctm9Dho3O282EWx1xUpQRaMekhixfP8 F0D3hOm8ZAeS7cy80nsE5coSyfqJ9y5K7_G0gEpanxXi76D0q1IHTLursuZuUJAqXDcSCldGc80U Rv3WUHjRqCzb.u04iDdvA2yIWF2RbQPZUJLMoLMv_b3_GrAZtoKwnt0jljp_7IeHitYxfrQdWsUO CEDGV_MWJR1ufKlXqem.7lnQMBDNQiQFem_c0RC.z0OzYCuene8T7Ni9Cs_6y73aQZfpQVchrGas IDJ1LRsKCTVvr1DwqPR3s8gnF6uz2_3sxh8LtFEv_2JV4B0kWKMv6L3y7oUY5IwfDo1j6vXJEpsa UMZTfFymHyxXZL3k2ZqvvodQDT.1iTDTRikhUHTphrQf.78Ao5ilsW5drWv1u7pXtkeKjNmzv6CQ .p21Nl6khkFqrVasqy4CN09k_jWjIJvl5_hXfxF4IGPF.U5oIXwMuJ47nrGTcmXihQt5sMWam3kz XRGHRtgKo61T13xvkiAvfO_R_7vgydFDTLSjHydf3K6.J6U030QysttTRc47UJzULA.yo7YoUUHV Yv7u9lwbThpYEYLF7CplCTBN9vUBWkwvd6OJCCCVK0bNCGxaiwoQVwco4W3IKpnokZv578EvJckM agJsyJyuVD5vZhXmGHCIZ7Hahh_Lc7zgOGUM3atgw4tsDb4ef4yGu10ZoLMwVlEcfmc7LkOpCUjX LJgAC6oAvYv4M.a8chUUMf4Rl.xOPfWqNpBP.Fw-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:38:27 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp417.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 453e085596c4061cfe71d166fcd08f8b; Mon, 26 Nov 2018 23:38:23 +0000 (UTC) Subject: [PATCH v5 15/38] LSM: Split LSM preparation from initialization To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: Date: Mon, 26 Nov 2018 15:38:20 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Since we already have to do a pass through the LSMs to figure out if exclusive LSMs should be disabled after the first one is seen as enabled, this splits the logic up a bit more cleanly. Now we do a full "prepare" pass through the LSMs (which also allows for later use by the blob-sharing code), before starting the LSM initialization pass. Signed-off-by: Kees Cook --- security/security.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/security/security.c b/security/security.c index df71b54c1ba4..3fac0ff39944 100644 --- a/security/security.c +++ b/security/security.c @@ -139,22 +139,28 @@ static bool __init lsm_allowed(struct lsm_info *lsm) return true; } -/* Check if LSM should be initialized. */ -static void __init maybe_initialize_lsm(struct lsm_info *lsm) +/* Prepare LSM for initialization. */ +static void __init prepare_lsm(struct lsm_info *lsm) { int enabled = lsm_allowed(lsm); /* Record enablement (to handle any following exclusive LSMs). */ set_enabled(lsm, enabled); - /* If selected, initialize the LSM. */ + /* If enabled, do pre-initialization work. */ if (enabled) { - int ret; - if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && !exclusive) { exclusive = lsm; init_debug("exclusive chosen: %s\n", lsm->name); } + } +} + +/* Initialize a given LSM, if it is enabled. */ +static void __init initialize_lsm(struct lsm_info *lsm) +{ + if (is_enabled(lsm)) { + int ret; init_debug("initializing %s\n", lsm->name); ret = lsm->init(); @@ -240,7 +246,10 @@ static void __init ordered_lsm_init(void) ordered_lsm_parse(builtin_lsm_order, "builtin"); for (lsm = ordered_lsms; *lsm; lsm++) - maybe_initialize_lsm(*lsm); + prepare_lsm(*lsm); + + for (lsm = ordered_lsms; *lsm; lsm++) + initialize_lsm(*lsm); kfree(ordered_lsms); }