From patchwork Mon Sep 18 21:24:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: KP Singh X-Patchwork-Id: 13390496 X-Patchwork-Delegate: bpf@iogearbox.net Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2477F450C7 for ; Mon, 18 Sep 2023 21:25:18 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id EEAB2C433CD; Mon, 18 Sep 2023 21:25:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1695072318; bh=vRckZJD45lihreFEawCo5L2TB99xvtoV/CRL+RVRoC0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sVtNzJ/Uygrm57KK4ezfH8rIotCiwdN2inGmgpRBR+bY9eFZtKTRdqvgxRJrZuytC dIIGi4rGtggqz5fyy402FpgWcPN4pOSl7fdC0+Gr4ShxSYnSoU399DqRiKBpVYS4q8 spyvmUesGBV2QT/UFRHnoEFWG0PYboTdCAxtGQo9S5bJ9NNpiOUwdWgj0rcppQO+Rb yrUAdXTPKhkIKav2Sfo+hmgdyVVshUDC645HHr3UpfCpmtAgmFl93NnGBFymbuFL1X qcKGabIf+UAm2jcxR8dIVIDwcCEeJFEY1FPA1scNhNdwWk5Thf/DhyJkwnexY83Pm9 JLZERcOYORd0Q== From: KP Singh To: linux-security-module@vger.kernel.org, bpf@vger.kernel.org Cc: paul@paul-moore.com, keescook@chromium.org, casey@schaufler-ca.com, song@kernel.org, daniel@iogearbox.net, ast@kernel.org, kpsingh@kernel.org, Kui-Feng Lee Subject: [PATCH v3 2/5] security: Count the LSMs enabled at compile time Date: Mon, 18 Sep 2023 23:24:56 +0200 Message-ID: <20230918212459.1937798-3-kpsingh@kernel.org> X-Mailer: git-send-email 2.42.0.459.ge4e396fd5e-goog In-Reply-To: <20230918212459.1937798-1-kpsingh@kernel.org> References: <20230918212459.1937798-1-kpsingh@kernel.org> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 These macros are a clever trick to determine a count of the number of LSMs that are enabled in the config to ascertain the maximum number of static calls that need to be configured per LSM hook. Without this one would need to generate static calls for (number of possible LSMs * number of LSM hooks) which ends up being quite wasteful especially when some LSMs are not compiled into the kernel. Suggested-by: Kui-Feng Lee Suggested-by: Andrii Nakryiko Reviewed-by: Kees Cook Reviewed-by: Casey Schaufler Acked-by: Song Liu --- include/linux/lsm_count.h | 106 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 include/linux/lsm_count.h diff --git a/include/linux/lsm_count.h b/include/linux/lsm_count.h new file mode 100644 index 000000000000..0c0ff3c7dddc --- /dev/null +++ b/include/linux/lsm_count.h @@ -0,0 +1,106 @@ +/* SPDX-License-Identifier: GPL-2.0 */ + +/* + * Copyright (C) 2023 Google LLC. + */ + +#ifndef __LINUX_LSM_COUNT_H +#define __LINUX_LSM_COUNT_H + +#include + +#ifdef CONFIG_SECURITY + +/* + * Macros to count the number of LSMs enabled in the kernel at compile time. + */ + +/* + * Capabilities is enabled when CONFIG_SECURITY is enabled. + */ +#if IS_ENABLED(CONFIG_SECURITY) +#define CAPABILITIES_ENABLED 1, +#else +#define CAPABILITIES_ENABLED +#endif + +#if IS_ENABLED(CONFIG_SECURITY_SELINUX) +#define SELINUX_ENABLED 1, +#else +#define SELINUX_ENABLED +#endif + +#if IS_ENABLED(CONFIG_SECURITY_SMACK) +#define SMACK_ENABLED 1, +#else +#define SMACK_ENABLED +#endif + +#if IS_ENABLED(CONFIG_SECURITY_APPARMOR) +#define APPARMOR_ENABLED 1, +#else +#define APPARMOR_ENABLED +#endif + +#if IS_ENABLED(CONFIG_SECURITY_TOMOYO) +#define TOMOYO_ENABLED 1, +#else +#define TOMOYO_ENABLED +#endif + +#if IS_ENABLED(CONFIG_SECURITY_YAMA) +#define YAMA_ENABLED 1, +#else +#define YAMA_ENABLED +#endif + +#if IS_ENABLED(CONFIG_SECURITY_LOADPIN) +#define LOADPIN_ENABLED 1, +#else +#define LOADPIN_ENABLED +#endif + +#if IS_ENABLED(CONFIG_SECURITY_LOCKDOWN_LSM) +#define LOCKDOWN_ENABLED 1, +#else +#define LOCKDOWN_ENABLED +#endif + +#if IS_ENABLED(CONFIG_BPF_LSM) +#define BPF_LSM_ENABLED 1, +#else +#define BPF_LSM_ENABLED +#endif + +#if IS_ENABLED(CONFIG_SECURITY_LANDLOCK) +#define LANDLOCK_ENABLED 1, +#else +#define LANDLOCK_ENABLED +#endif + + +#define __COUNT_COMMAS(_0, _1, _2, _3, _4, _5, _6, _7, _8, _9, _10, _11, _12, _n, X...) _n +#define COUNT_COMMAS(a, X...) __COUNT_COMMAS(, ##X, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0) +#define ___COUNT_COMMAS(args...) COUNT_COMMAS(args) + + +#define MAX_LSM_COUNT \ + ___COUNT_COMMAS( \ + CAPABILITIES_ENABLED \ + SELINUX_ENABLED \ + SMACK_ENABLED \ + APPARMOR_ENABLED \ + TOMOYO_ENABLED \ + YAMA_ENABLED \ + LOADPIN_ENABLED \ + LOCKDOWN_ENABLED \ + BPF_LSM_ENABLED \ + LANDLOCK_ENABLED) + +#else + +#define MAX_LSM_COUNT 0 + +#endif /* CONFIG_SECURITY */ + +#endif /* __LINUX_LSM_COUNT_H */