From patchwork Tue Sep 25 00:18:04 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613083 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 961FB15A6 for ; Tue, 25 Sep 2018 00:18:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7F2DF29E9D for ; Tue, 25 Sep 2018 00:18:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6EAE729EE6; Tue, 25 Sep 2018 00:18:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0E88329E9D for ; Tue, 25 Sep 2018 00:18:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726922AbeIYGXY (ORCPT ); Tue, 25 Sep 2018 02:23:24 -0400 Received: from mail-pg1-f196.google.com ([209.85.215.196]:42583 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726464AbeIYGXY (ORCPT ); Tue, 25 Sep 2018 02:23:24 -0400 Received: by mail-pg1-f196.google.com with SMTP id y4-v6so10107797pgp.9 for ; Mon, 24 Sep 2018 17:18:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=qTlAiVyKmDi3nh8j1vnhRyGyfYh9dCrYAglaiQr2kEE=; b=Q4TLlttf9SWn5R1kA4WKpqdKlAuU/moC7pj+yvqlTzhZ9TjtdSCLF5usqIPtccSGoi OZy0pj6ErE+sjgLo47Aab7JIt8McPZewwEjok1ZFsQKb8RuaobSqi5WmzDB4ZMNZNU3u kOTs9NQ4HosS561qozeDshv+3XH966lxETk+Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=qTlAiVyKmDi3nh8j1vnhRyGyfYh9dCrYAglaiQr2kEE=; b=HlwU0xXJUMEaBsBe6ySkCY/98FtnuW0Z/Jya7hyStWy/CYRoyCMPnAkLrDEs5zq3+9 sl3Vw3FM8PVeu8SIKBJcDYZKjYVKZHBO2hXyGq4qM3F1PuMWKe7aXFJPRoLEsyelPcrp OcF3E69Nk52N7r10DFT+McahT8pkPHYujjAaZGo/DKwfxraSLHVbId4UcTZFfRzcEE+u CCUoSukxthVOe02x3Zte0QUJsNQ44STcZv+OnBL8rN7reRec3wR26PbkVzmyx8s0gexU oYuebZeeUj8353opve0af8umR9tJX9pSEw7juVFxh90wkjvvjKEyODT4YZ0o2QGCqnOx GbQg== X-Gm-Message-State: ABuFfogh1k9gROOzVW0V92ab15uPlZomYhV72xZKWyPxwbexOqCzSc/R csXaSworhw61ARcIJkBeks5M5Q== X-Google-Smtp-Source: ACcGV61BbY+qRvMi0uguvVPD4XNfbPTK2hiuRCRimHQGsL2x+DlosRZLJnDT4FbWIxBqTfLYeiTjLg== X-Received: by 2002:a17:902:509:: with SMTP id 9-v6mr286688plf.155.1537834718469; Mon, 24 Sep 2018 17:18:38 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id f184-v6sm594491pfc.88.2018.09.24.17.18.36 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:18:37 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 01/29] LSM: Correctly announce start of LSM initialization Date: Mon, 24 Sep 2018 17:18:04 -0700 Message-Id: <20180925001832.18322-2-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP For a while now, the LSM core has said it was "initializED", rather than "initializING". This adjust the report to be more accurate (i.e. before this was reported before any LSMs had been initialized.) Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: James Morris Reviewed-by: John Johansen --- security/security.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/security.c b/security/security.c index 736e78da1ab9..4cbcf244a965 100644 --- a/security/security.c +++ b/security/security.c @@ -72,10 +72,11 @@ int __init security_init(void) int i; struct hlist_head *list = (struct hlist_head *) &security_hook_heads; + pr_info("Security Framework initializing\n"); + for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct hlist_head); i++) INIT_HLIST_HEAD(&list[i]); - pr_info("Security Framework initialized\n"); /* * Load minor LSMs, with the capability module always first. From patchwork Tue Sep 25 00:18:05 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613131 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id CD0FC14DA for ; Tue, 25 Sep 2018 00:20:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B9CBF29483 for ; Tue, 25 Sep 2018 00:20:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id AD6CF29EE6; Tue, 25 Sep 2018 00:20:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CC7E929483 for ; Tue, 25 Sep 2018 00:20:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726316AbeIYGZX (ORCPT ); Tue, 25 Sep 2018 02:25:23 -0400 Received: from mail-pf1-f196.google.com ([209.85.210.196]:35212 "EHLO mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728288AbeIYGX1 (ORCPT ); Tue, 25 Sep 2018 02:23:27 -0400 Received: by mail-pf1-f196.google.com with SMTP id p12-v6so9924383pfh.2 for ; Mon, 24 Sep 2018 17:18:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=SJSMq1IylsdmDC6tKe2QXG4rx4NTxkWXmcEscNNPrNQ=; b=UpIzsCl5FvnGIXOYOS5hU7C0YL8/S4Y7+Iu2kiG/v6so5wwTQXrzw35wrpyCpEL897 sxUfG0q2+0cUvDcYRWkPSiOyVJk4YQGr/pZwOUo4ipAp+aFACSLSOnU3azlAGxzkPNj7 mpW7AWWrtVaksxrjiVZSpG+Ewns9rmBDjgwRg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=SJSMq1IylsdmDC6tKe2QXG4rx4NTxkWXmcEscNNPrNQ=; b=mbNjomZae0E61QOsb3a5+MgEUr1KQIOtZJsClGQc3K0krYygyTZDfQMiwFR/GiWv/Q SidmghxkZIm9ydpsQxf06JiHdOzyjMRIlbAydQsmZEfs4+FyYij8nnU5I5YfagyXBX1x Hf61W7RaT99hNyQF7vdH9dcuM2hNmQil4JmFEzg2HAmPe5ZDrcFllY1/JX0guW0yZwKB v8AwG8b6PTeVCltNjnh1hcUIL6Jd9BM58+oTgTvoIhwdRhslswbLqHJTcGXSlxzPpBq0 denLIGrMYevgBSygR73uEVlpbmUqpeiQUtc89vlD17PKCHhnIGkhfwp5XUe7QswRGELE TBbg== X-Gm-Message-State: ABuFfoga/mQr4l3Ng1U+1di4dZJN05//0f90iYsypVjDF29AzQyIooOy gfyBDgf5Ooej+sr21ahIQb8T0A== X-Google-Smtp-Source: ACcGV61mKHO+aF35FoDAEPJrqFH6Bd/hDjOvjLpCfYhZZWXD+Oz2LX6VxlVxJzxlp3g7CAigQgdZPw== X-Received: by 2002:a17:902:6b44:: with SMTP id g4-v6mr1002294plt.50.1537834722042; Mon, 24 Sep 2018 17:18:42 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id h82-v6sm549378pfa.173.2018.09.24.17.18.36 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:18:37 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Arnd Bergmann , linux-arch@vger.kernel.org, Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 02/29] vmlinux.lds.h: Avoid copy/paste of security_init section Date: Mon, 24 Sep 2018 17:18:05 -0700 Message-Id: <20180925001832.18322-3-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Avoid copy/paste by defining SECURITY_INIT in terms of SECURITY_INITCALL. Cc: Arnd Bergmann Cc: linux-arch@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: James Morris Reviewed-by: John Johansen --- include/asm-generic/vmlinux.lds.h | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h index 7b75ff6e2fce..934a45395547 100644 --- a/include/asm-generic/vmlinux.lds.h +++ b/include/asm-generic/vmlinux.lds.h @@ -473,13 +473,6 @@ #define RODATA RO_DATA_SECTION(4096) #define RO_DATA(align) RO_DATA_SECTION(align) -#define SECURITY_INIT \ - .security_initcall.init : AT(ADDR(.security_initcall.init) - LOAD_OFFSET) { \ - __security_initcall_start = .; \ - KEEP(*(.security_initcall.init)) \ - __security_initcall_end = .; \ - } - /* * .text section. Map to function alignment to avoid address changes * during second ld run in second ld pass when generating System.map @@ -798,6 +791,12 @@ KEEP(*(.security_initcall.init)) \ __security_initcall_end = .; +/* Older linker script style for security init. */ +#define SECURITY_INIT \ + .security_initcall.init : AT(ADDR(.security_initcall.init) - LOAD_OFFSET) { \ + SECURITY_INITCALL \ + } + #ifdef CONFIG_BLK_DEV_INITRD #define INIT_RAM_FS \ . = ALIGN(4); \ From patchwork Tue Sep 25 00:18:06 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613129 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BD1C2161F for ; Tue, 25 Sep 2018 00:20:39 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A87B829E9D for ; Tue, 25 Sep 2018 00:20:39 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9C18529EE6; Tue, 25 Sep 2018 00:20:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 362DE29F53 for ; Tue, 25 Sep 2018 00:20:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728240AbeIYGX0 (ORCPT ); Tue, 25 Sep 2018 02:23:26 -0400 Received: from mail-pg1-f195.google.com ([209.85.215.195]:38347 "EHLO mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728075AbeIYGXZ (ORCPT ); Tue, 25 Sep 2018 02:23:25 -0400 Received: by mail-pg1-f195.google.com with SMTP id r77-v6so4989431pgr.5 for ; Mon, 24 Sep 2018 17:18:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=cNG+Umuz8gpkckvoqmDpsZNoaXz/lpbhmjoKCpcjv4Y=; b=KpGrnpXY7MINlKWpGt5BXbDHO2GvERi8UG+BL1sFeX6+LAlBRvetoUINt4i3bxgoqL SWgN4N8DBij2no/GeUWSrAbmER+zL57BTpEbLEn0l47Lr6tKTDvGudZT57zgRPm3Wh1K tBO+kGXja7DhQ7zYraTVyRyoGc+XsxZSTXb08= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=cNG+Umuz8gpkckvoqmDpsZNoaXz/lpbhmjoKCpcjv4Y=; b=NxXAIwi5p3JgVUFXxGfk5LaH0Nuq0tBFxFN19zCzRxdyG0ejH4H5tH73N6+dDNsU4/ i2c8Ey/njXQY2KD02+MWgAQSNpByQH1ws9eVoxk+njUrECOdD2rpmsTIKFtB6AT4NsY0 89LU5FNUKfuduck6hOIVz9yxm/n0SxjpJuRgCj2C1k0VRE0+NqxLexkr7UJusU4F4vWW HNuOW8B6q66zh2gVdx8T6r9VmjetpafIdFAcf3uRakLI/JbfKd9CGGoXdB3xIzGlEXz0 XIJ1qM8AzoVsbnhYHStmpHNPNtiD7yn1JOzJ6iRjqRsKNTRdBPZ2qS5Hqb0Qv1Ca1v6d 1JbA== X-Gm-Message-State: ABuFfohhwDzybb6tzguHxHgxrXXI9avemrBmFOmhGfwfi8kF0JuvzTIT FfvZn6WFbq1veamx6bv8mVXImA== X-Google-Smtp-Source: ACcGV61Czj5lcS7tU939B82fcWd1tGZ0LZh2lnxQ0accq1zipJYOa70Q10U4Iahal0QI9rrhzCS1Ng== X-Received: by 2002:a65:4b88:: with SMTP id t8-v6mr909082pgq.239.1537834719316; Mon, 24 Sep 2018 17:18:39 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id r12-v6sm540112pfh.79.2018.09.24.17.18.36 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:18:37 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Arnd Bergmann , "Serge E. Hallyn" , Ard Biesheuvel , linux-arch@vger.kernel.org, linux-security-module@vger.kernel.org, Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , Jonathan Corbet , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 03/29] LSM: Rename .security_initcall section to .lsm_info Date: Mon, 24 Sep 2018 17:18:06 -0700 Message-Id: <20180925001832.18322-4-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP In preparation for switching from initcall to just a regular set of pointers in a section, rename the internal section name. Cc: Arnd Bergmann Cc: James Morris Cc: "Serge E. Hallyn" Cc: Ard Biesheuvel Cc: linux-arch@vger.kernel.org Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: James Morris Reviewed-by: John Johansen --- include/asm-generic/vmlinux.lds.h | 10 +++++----- include/linux/init.h | 4 ++-- security/security.c | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h index 934a45395547..5079a969e612 100644 --- a/include/asm-generic/vmlinux.lds.h +++ b/include/asm-generic/vmlinux.lds.h @@ -787,14 +787,14 @@ __con_initcall_end = .; #define SECURITY_INITCALL \ - __security_initcall_start = .; \ - KEEP(*(.security_initcall.init)) \ - __security_initcall_end = .; + __start_lsm_info = .; \ + KEEP(*(.lsm_info.init)) \ + __end_lsm_info = .; /* Older linker script style for security init. */ #define SECURITY_INIT \ - .security_initcall.init : AT(ADDR(.security_initcall.init) - LOAD_OFFSET) { \ - SECURITY_INITCALL \ + .lsm_info.init : AT(ADDR(.lsm_info.init) - LOAD_OFFSET) { \ + LSM_INFO \ } #ifdef CONFIG_BLK_DEV_INITRD diff --git a/include/linux/init.h b/include/linux/init.h index 2538d176dd1f..77636539e77c 100644 --- a/include/linux/init.h +++ b/include/linux/init.h @@ -133,7 +133,7 @@ static inline initcall_t initcall_from_entry(initcall_entry_t *entry) #endif extern initcall_entry_t __con_initcall_start[], __con_initcall_end[]; -extern initcall_entry_t __security_initcall_start[], __security_initcall_end[]; +extern initcall_entry_t __start_lsm_info[], __end_lsm_info[]; /* Used for contructor calls. */ typedef void (*ctor_fn_t)(void); @@ -236,7 +236,7 @@ extern bool initcall_debug; static exitcall_t __exitcall_##fn __exit_call = fn #define console_initcall(fn) ___define_initcall(fn,, .con_initcall) -#define security_initcall(fn) ___define_initcall(fn,, .security_initcall) +#define security_initcall(fn) ___define_initcall(fn,, .lsm_info) struct obs_kernel_param { const char *str; diff --git a/security/security.c b/security/security.c index 4cbcf244a965..892fe6b691cf 100644 --- a/security/security.c +++ b/security/security.c @@ -51,9 +51,9 @@ static void __init do_security_initcalls(void) initcall_t call; initcall_entry_t *ce; - ce = __security_initcall_start; + ce = __start_lsm_info; trace_initcall_level("security"); - while (ce < __security_initcall_end) { + while (ce < __end_lsm_info) { call = initcall_from_entry(ce); trace_initcall_start(call); ret = call(); From patchwork Tue Sep 25 00:18:07 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613085 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 617E814DA for ; Tue, 25 Sep 2018 00:18:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4CE2F29E9D for ; Tue, 25 Sep 2018 00:18:48 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4107529F53; Tue, 25 Sep 2018 00:18:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A684229EC0 for ; Tue, 25 Sep 2018 00:18:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728274AbeIYGX0 (ORCPT ); Tue, 25 Sep 2018 02:23:26 -0400 Received: from mail-pf1-f194.google.com ([209.85.210.194]:33693 "EHLO mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728078AbeIYGX0 (ORCPT ); Tue, 25 Sep 2018 02:23:26 -0400 Received: by mail-pf1-f194.google.com with SMTP id d4-v6so9930739pfn.0 for ; Mon, 24 Sep 2018 17:18:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=grdTh6jgWyilD8yd1ADEbK7C00utpPYIiWkMyo43GXU=; b=WDUrBOFup3bgS3V1x1Go6KM1/ZIZHZznHJFiBJ2FwbSVplhb/hvi7CSZP6qHZUMbd/ 929mOJBuzYbyYOOE1oLY7DlyH+uPKZrIFsjGTrERVRghtfDhzvSqVAHqOYjsDNEzXktc VrutY4O+8Lb5M6lBhaAWe2/MVw0f9LAoNcb2g= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=grdTh6jgWyilD8yd1ADEbK7C00utpPYIiWkMyo43GXU=; b=UfqwYeFwE2YWCavLMa3oXdII0SnDfCwvv77fbMl79h927m7FtTd9+GpAPckITECeXL jJZ/3gBzgPbG6sLEqaY7KPeEhCIEhSD3h7A2Lwfpvc8TKtjV2izs+O9Vt4zeC/3kw4dn h77z/B8MmK0jZdUQSz2Vniq3ZITDodbYXv9L7aHAMwtoU7dejDnzhMtltrA8xjIp9DMd nRmG9Og4TrH7mhZilwyb2tuFwGRKJsx3MaOguFshvLsvayHyrYmtkjfvDUWTa7d9EbWE NYoUCCud3DBEywg8qv43BRcqxAM9VmcfEsJ5QOFzFvqMUN2eSivYuNOaGDjQVSnepv7B VJ0A== X-Gm-Message-State: ABuFfoj81ynm2BM/AxwLgxvsr0bYTmhbA1yrlEa+JlrOrOpYnCmbVk4u bQshFBW9z/GI2lR1ml4pZ/WIyw== X-Google-Smtp-Source: ACcGV60Q+qQUcfOgrc942qlgSi/1M22qVFDImDAbsmJZ/SOrnCHJDrfeP/Y4IHCoF1FM5IPgnBcmVA== X-Received: by 2002:a62:444d:: with SMTP id r74-v6mr1006201pfa.96.1537834720182; Mon, 24 Sep 2018 17:18:40 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id y85-v6sm560016pfa.170.2018.09.24.17.18.36 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:18:37 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , "Serge E. Hallyn" , Abderrahmane Benbachir , Steven Rostedt , linux-security-module@vger.kernel.org, Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 04/29] LSM: Remove initcall tracing Date: Mon, 24 Sep 2018 17:18:07 -0700 Message-Id: <20180925001832.18322-5-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This partially reverts commit 58eacfffc417 ("init, tracing: instrument security and console initcall trace events") since security init calls are about to no longer resemble regular init calls. Cc: James Morris Cc: "Serge E. Hallyn" Cc: Abderrahmane Benbachir Cc: Steven Rostedt (VMware) Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: John Johansen --- security/security.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/security/security.c b/security/security.c index 892fe6b691cf..41a5da2c7faf 100644 --- a/security/security.c +++ b/security/security.c @@ -30,8 +30,6 @@ #include #include -#include - #define MAX_LSM_EVM_XATTR 2 /* Maximum number of letters for an LSM name string */ @@ -47,17 +45,13 @@ static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = static void __init do_security_initcalls(void) { - int ret; initcall_t call; initcall_entry_t *ce; ce = __start_lsm_info; - trace_initcall_level("security"); while (ce < __end_lsm_info) { call = initcall_from_entry(ce); - trace_initcall_start(call); - ret = call(); - trace_initcall_finish(call, ret); + call(); ce++; } } From patchwork Tue Sep 25 00:18:08 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613087 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 75075161F for ; Tue, 25 Sep 2018 00:18:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 606C629E9D for ; Tue, 25 Sep 2018 00:18:48 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5470C29F85; Tue, 25 Sep 2018 00:18:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C8D4729EE6 for ; Tue, 25 Sep 2018 00:18:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728476AbeIYGXb (ORCPT ); Tue, 25 Sep 2018 02:23:31 -0400 Received: from mail-pf1-f194.google.com ([209.85.210.194]:42915 "EHLO mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728468AbeIYGXa (ORCPT ); Tue, 25 Sep 2018 02:23:30 -0400 Received: by mail-pf1-f194.google.com with SMTP id l9-v6so9910975pff.9 for ; Mon, 24 Sep 2018 17:18:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=7f6s3h2XkG6YWMgb517IuF2nVTrNpz4+Hbs+4cRPNw0=; b=Fsu+0ulS0n9lKo7TsWXZzm96YjGD/7EVf9gti/rmu6qSM3VV2CSjT0y+sViQt2M5yU dAdR5Mlki0+DyAbHJWp5YphwuPCDT1lfl7EN7LdAncjwHeSfRJ5oxjRfw0n8f0uGQ1QY 5j2JfdLuZiZXHge3EEFKAD1M1CN0Ls95FeXCk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=7f6s3h2XkG6YWMgb517IuF2nVTrNpz4+Hbs+4cRPNw0=; b=iYlRfoV7cnF0ip/n4TuVYd1ogLllu6qi3O0VThMKGW06V4c17feAoEiEHc4JHeVnp9 ciqP4hJu43v3Dw3E7jH4Gr17XlMXf3r1x58z1GZMUk/5hopOFgXQXyquc5lG5GQ5S4Y+ xAcgoEPV6/0Y1DjUUR7ZMel10nOoKX82kLJTqSPhQ/5ASIviid2pzZbnK2KgVg6AK778 C9QNVRbq25UWetOibu5TnhXtTQFrPRVH8suCCBVmlCT20arhr3RrOHfiH7m28r0Bmd+U N95ZQ+vtWJ52QzUSXD+7XxfEtfmGSySVAVy5erJlTtMrQdVItGiuYnXInOoAIkuvSDh1 WLKQ== X-Gm-Message-State: ABuFfojHZcRvcz2TYzfNPJG26bELHLU/+UZNPbbCgCs5eAaF9DXihUUi buKT4fXwzy0LWyhMaHR7pXZ3Lg== X-Google-Smtp-Source: ACcGV63wWje2jsfHPl5dJgkho27uYCmeUYW55vB1qzHEMaOPkkIhTbk8K0jLsmWbN4E+R6SAVhceYA== X-Received: by 2002:a17:902:9a47:: with SMTP id x7-v6mr965533plv.37.1537834724591; Mon, 24 Sep 2018 17:18:44 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id d10-v6sm501218pgo.2.2018.09.24.17.18.39 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:18:42 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , "Serge E. Hallyn" , Ard Biesheuvel , Paul Moore , linux-security-module@vger.kernel.org, Casey Schaufler , John Johansen , Tetsuo Handa , Stephen Smalley , "Schaufler, Casey" , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 05/29] LSM: Convert from initcall to struct lsm_info Date: Mon, 24 Sep 2018 17:18:08 -0700 Message-Id: <20180925001832.18322-6-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP In preparation for doing more interesting LSM init probing, this converts the existing initcall system into an explicit call into a function pointer from a section-collected struct lsm_info array. Cc: James Morris Cc: "Serge E. Hallyn" Cc: Ard Biesheuvel Cc: Paul Moore Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: James Morris Reviewed-by: John Johansen --- include/linux/init.h | 2 -- include/linux/lsm_hooks.h | 12 ++++++++++++ include/linux/module.h | 1 - security/integrity/iint.c | 1 + security/security.c | 14 +++++--------- 5 files changed, 18 insertions(+), 12 deletions(-) diff --git a/include/linux/init.h b/include/linux/init.h index 77636539e77c..9c2aba1dbabf 100644 --- a/include/linux/init.h +++ b/include/linux/init.h @@ -133,7 +133,6 @@ static inline initcall_t initcall_from_entry(initcall_entry_t *entry) #endif extern initcall_entry_t __con_initcall_start[], __con_initcall_end[]; -extern initcall_entry_t __start_lsm_info[], __end_lsm_info[]; /* Used for contructor calls. */ typedef void (*ctor_fn_t)(void); @@ -236,7 +235,6 @@ extern bool initcall_debug; static exitcall_t __exitcall_##fn __exit_call = fn #define console_initcall(fn) ___define_initcall(fn,, .con_initcall) -#define security_initcall(fn) ___define_initcall(fn,, .lsm_info) struct obs_kernel_param { const char *str; diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 97a020c616ad..ad04761e5587 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2039,6 +2039,18 @@ extern char *lsm_names; extern void security_add_hooks(struct security_hook_list *hooks, int count, char *lsm); +struct lsm_info { + int (*init)(void); +}; + +extern struct lsm_info __start_lsm_info[], __end_lsm_info[]; + +#define security_initcall(lsm) \ + static struct lsm_info __lsm_##lsm \ + __used __section(.lsm_info.init) \ + __aligned(sizeof(unsigned long)) \ + = { .init = lsm, } + #ifdef CONFIG_SECURITY_SELINUX_DISABLE /* * Assuring the safety of deleting a security module is up to diff --git a/include/linux/module.h b/include/linux/module.h index f807f15bebbe..264979283756 100644 --- a/include/linux/module.h +++ b/include/linux/module.h @@ -123,7 +123,6 @@ extern void cleanup_module(void); #define late_initcall_sync(fn) module_init(fn) #define console_initcall(fn) module_init(fn) -#define security_initcall(fn) module_init(fn) /* Each module must use one module_init(). */ #define module_init(initfn) \ diff --git a/security/integrity/iint.c b/security/integrity/iint.c index 5a6810041e5c..70d21b566955 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -22,6 +22,7 @@ #include #include #include +#include #include "integrity.h" static struct rb_root integrity_iint_tree = RB_ROOT; diff --git a/security/security.c b/security/security.c index 41a5da2c7faf..e74f46fba591 100644 --- a/security/security.c +++ b/security/security.c @@ -43,16 +43,12 @@ char *lsm_names; static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = CONFIG_DEFAULT_SECURITY; -static void __init do_security_initcalls(void) +static void __init major_lsm_init(void) { - initcall_t call; - initcall_entry_t *ce; + struct lsm_info *lsm; - ce = __start_lsm_info; - while (ce < __end_lsm_info) { - call = initcall_from_entry(ce); - call(); - ce++; + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + lsm->init(); } } @@ -82,7 +78,7 @@ int __init security_init(void) /* * Load all the remaining security modules. */ - do_security_initcalls(); + major_lsm_init(); return 0; } From patchwork Tue Sep 25 00:18:09 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613125 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2A21E14DA for ; Tue, 25 Sep 2018 00:20:32 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 163E529E9D for ; Tue, 25 Sep 2018 00:20:32 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0533729EE6; Tue, 25 Sep 2018 00:20:32 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 745AC29E9D for ; Tue, 25 Sep 2018 00:20:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726025AbeIYGZP (ORCPT ); Tue, 25 Sep 2018 02:25:15 -0400 Received: from mail-pg1-f196.google.com ([209.85.215.196]:41397 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728126AbeIYGXa (ORCPT ); Tue, 25 Sep 2018 02:23:30 -0400 Received: by mail-pg1-f196.google.com with SMTP id z3-v6so5141633pgv.8 for ; Mon, 24 Sep 2018 17:18:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=zeggc8Kiynho06cDkTryazBV33kA+k93YFXTk1NTHxE=; b=gMZyR1mK7fEaDCv4AHW5eY81K80+EAdnhUunG1WM0AnZaWrNq24S891/nVS5ieALUi uDERGmXjfhbaYy6lKW1OlvUXZSk6txjQbT5heHcwb/o5MdrlWAYdUVZclujNPxu9MVOw vxe3QwC8PVyKTl5z0dDR/sXm/TwV57MwBrHBM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=zeggc8Kiynho06cDkTryazBV33kA+k93YFXTk1NTHxE=; b=abmn7mqWgvHX4kEsKaZr+CAiBtWSdiFp0HvKX3yp8mJS7yL9m4FW9O//TUmDoLJd4O hs0e1rhkf8PhZ1RznZyz3+uxeSEbPzk4OOBSThDm2XXLcD9WURsFeN8PX3EIPRuZecs7 d9T2fCNucDPMF+4iSpfM6Aco2/qlglUsDDCtvhrbyEJJApxEwNlbjO5iGcfAD6EhTUQN Z/TUaXyw88lZ1ippFk0mQzQOPlAiHgDYqe9dmoXYJbfT/WVwgCs1LeULkKCJE/u7pE3j xE78/NUFZrclHBALyrjVQfBVpScfXzZOSRLwsnMm5QfhMueMPpZKD9oNyjYmMcdHaJ4U u/kQ== X-Gm-Message-State: ABuFfoieqlRCI1qcec03uz3seF+AvR00ObqGJxfKEX4OpoXuXWvUKNoV cwjooDn32zBdWlIEURhUYA97Vw== X-Google-Smtp-Source: ACcGV60HxhgoMKv8Slt3DfN/rLFvvw6DyUS++w0tNGFQqpEba6INC56956blA9uOw8xfYhoDG/VypQ== X-Received: by 2002:a62:2b50:: with SMTP id r77-v6mr978646pfr.51.1537834723640; Mon, 24 Sep 2018 17:18:43 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id a15-v6sm589398pfe.32.2018.09.24.17.18.38 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:18:42 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , linux-arch@vger.kernel.org, Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 06/29] vmlinux.lds.h: Move LSM_TABLE into INIT_DATA Date: Mon, 24 Sep 2018 17:18:09 -0700 Message-Id: <20180925001832.18322-7-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Since the struct lsm_info table is not an initcall, we can just move it into INIT_DATA like all the other tables. Cc: linux-arch@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: John Johansen --- arch/arc/kernel/vmlinux.lds.S | 1 - arch/arm/kernel/vmlinux-xip.lds.S | 1 - arch/arm64/kernel/vmlinux.lds.S | 1 - arch/h8300/kernel/vmlinux.lds.S | 1 - arch/microblaze/kernel/vmlinux.lds.S | 2 -- arch/powerpc/kernel/vmlinux.lds.S | 2 -- arch/um/include/asm/common.lds.S | 2 -- arch/xtensa/kernel/vmlinux.lds.S | 1 - include/asm-generic/vmlinux.lds.h | 24 +++++++++++------------- 9 files changed, 11 insertions(+), 24 deletions(-) diff --git a/arch/arc/kernel/vmlinux.lds.S b/arch/arc/kernel/vmlinux.lds.S index f35ed578e007..8fb16bdabdcf 100644 --- a/arch/arc/kernel/vmlinux.lds.S +++ b/arch/arc/kernel/vmlinux.lds.S @@ -71,7 +71,6 @@ SECTIONS INIT_SETUP(L1_CACHE_BYTES) INIT_CALLS CON_INITCALL - SECURITY_INITCALL } .init.arch.info : { diff --git a/arch/arm/kernel/vmlinux-xip.lds.S b/arch/arm/kernel/vmlinux-xip.lds.S index 3593d5c1acd2..8c74037ade22 100644 --- a/arch/arm/kernel/vmlinux-xip.lds.S +++ b/arch/arm/kernel/vmlinux-xip.lds.S @@ -96,7 +96,6 @@ SECTIONS INIT_SETUP(16) INIT_CALLS CON_INITCALL - SECURITY_INITCALL INIT_RAM_FS } diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S index 605d1b60469c..7d23d591b03c 100644 --- a/arch/arm64/kernel/vmlinux.lds.S +++ b/arch/arm64/kernel/vmlinux.lds.S @@ -166,7 +166,6 @@ SECTIONS INIT_SETUP(16) INIT_CALLS CON_INITCALL - SECURITY_INITCALL INIT_RAM_FS *(.init.rodata.* .init.bss) /* from the EFI stub */ } diff --git a/arch/h8300/kernel/vmlinux.lds.S b/arch/h8300/kernel/vmlinux.lds.S index 35716a3048de..49f716c0a1df 100644 --- a/arch/h8300/kernel/vmlinux.lds.S +++ b/arch/h8300/kernel/vmlinux.lds.S @@ -56,7 +56,6 @@ SECTIONS __init_begin = .; INIT_TEXT_SECTION(4) INIT_DATA_SECTION(4) - SECURITY_INIT __init_end = .; _edata = . ; _begin_data = LOADADDR(.data); diff --git a/arch/microblaze/kernel/vmlinux.lds.S b/arch/microblaze/kernel/vmlinux.lds.S index 289d0e7f3e3a..e1f3e8741292 100644 --- a/arch/microblaze/kernel/vmlinux.lds.S +++ b/arch/microblaze/kernel/vmlinux.lds.S @@ -117,8 +117,6 @@ SECTIONS { CON_INITCALL } - SECURITY_INIT - __init_end_before_initramfs = .; .init.ramfs : AT(ADDR(.init.ramfs) - LOAD_OFFSET) { diff --git a/arch/powerpc/kernel/vmlinux.lds.S b/arch/powerpc/kernel/vmlinux.lds.S index 07ae018e550e..105a976323aa 100644 --- a/arch/powerpc/kernel/vmlinux.lds.S +++ b/arch/powerpc/kernel/vmlinux.lds.S @@ -212,8 +212,6 @@ SECTIONS CON_INITCALL } - SECURITY_INIT - . = ALIGN(8); __ftr_fixup : AT(ADDR(__ftr_fixup) - LOAD_OFFSET) { __start___ftr_fixup = .; diff --git a/arch/um/include/asm/common.lds.S b/arch/um/include/asm/common.lds.S index 7adb4e6b658a..4049f2c46387 100644 --- a/arch/um/include/asm/common.lds.S +++ b/arch/um/include/asm/common.lds.S @@ -53,8 +53,6 @@ CON_INITCALL } - SECURITY_INIT - .exitcall : { __exitcall_begin = .; *(.exitcall.exit) diff --git a/arch/xtensa/kernel/vmlinux.lds.S b/arch/xtensa/kernel/vmlinux.lds.S index a1c3edb8ad56..b727b18a68ac 100644 --- a/arch/xtensa/kernel/vmlinux.lds.S +++ b/arch/xtensa/kernel/vmlinux.lds.S @@ -197,7 +197,6 @@ SECTIONS INIT_SETUP(XCHAL_ICACHE_LINESIZE) INIT_CALLS CON_INITCALL - SECURITY_INITCALL INIT_RAM_FS } diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h index 5079a969e612..b31ea8bdfef9 100644 --- a/include/asm-generic/vmlinux.lds.h +++ b/include/asm-generic/vmlinux.lds.h @@ -203,6 +203,15 @@ #define EARLYCON_TABLE() #endif +#ifdef CONFIG_SECURITY +#define LSM_TABLE() . = ALIGN(8); \ + __start_lsm_info = .; \ + KEEP(*(.lsm_info.init)) \ + __end_lsm_info = .; +#else +#define LSM_TABLE() +#endif + #define ___OF_TABLE(cfg, name) _OF_TABLE_##cfg(name) #define __OF_TABLE(cfg, name) ___OF_TABLE(cfg, name) #define OF_TABLE(cfg, name) __OF_TABLE(IS_ENABLED(cfg), name) @@ -597,7 +606,8 @@ IRQCHIP_OF_MATCH_TABLE() \ ACPI_PROBE_TABLE(irqchip) \ ACPI_PROBE_TABLE(timer) \ - EARLYCON_TABLE() + EARLYCON_TABLE() \ + LSM_TABLE() #define INIT_TEXT \ *(.init.text .init.text.*) \ @@ -786,17 +796,6 @@ KEEP(*(.con_initcall.init)) \ __con_initcall_end = .; -#define SECURITY_INITCALL \ - __start_lsm_info = .; \ - KEEP(*(.lsm_info.init)) \ - __end_lsm_info = .; - -/* Older linker script style for security init. */ -#define SECURITY_INIT \ - .lsm_info.init : AT(ADDR(.lsm_info.init) - LOAD_OFFSET) { \ - LSM_INFO \ - } - #ifdef CONFIG_BLK_DEV_INITRD #define INIT_RAM_FS \ . = ALIGN(4); \ @@ -963,7 +962,6 @@ INIT_SETUP(initsetup_align) \ INIT_CALLS \ CON_INITCALL \ - SECURITY_INITCALL \ INIT_RAM_FS \ } From patchwork Tue Sep 25 00:18:10 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613123 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A1E11161F for ; Tue, 25 Sep 2018 00:20:21 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8CA6C29E9D for ; Tue, 25 Sep 2018 00:20:21 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 80E6E29EE6; Tue, 25 Sep 2018 00:20:21 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D86F129EC0 for ; Tue, 25 Sep 2018 00:20:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728951AbeIYGZA (ORCPT ); Tue, 25 Sep 2018 02:25:00 -0400 Received: from mail-pg1-f195.google.com ([209.85.215.195]:34732 "EHLO mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728468AbeIYGXc (ORCPT ); Tue, 25 Sep 2018 02:23:32 -0400 Received: by mail-pg1-f195.google.com with SMTP id d19-v6so10129228pgv.1 for ; Mon, 24 Sep 2018 17:18:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=6EfxT0zcae6A5rzLbELC2IqQ09YDT4L0Am/o9GdvmCQ=; b=ca8HuJEN8GvhdrrGWOJGHlywVNTjjXI23kAJOqur2gPvgJq4UX3WPgibnW/GvLJ6LX sBljd7tWuue+7KP85zge+rgxoKYQ7HtIsfSzJedqK/WdiGbpKo6YLJJRwGLnz8V5oDlO LNqPGr1y0SSZvAPde8tK7oZ9JRyQ2MKjS1bt4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=6EfxT0zcae6A5rzLbELC2IqQ09YDT4L0Am/o9GdvmCQ=; b=EZI53ZKxUryeEwkI83ZsKNg3T8TbzCAMaAd/+kdgpmdyEVsijq8SwOJfKeaxx7VDu/ dxBDEbMvJo5F6wG8LWwYqLYMLtFoBcpB6M4rYQZPyNYLkOoA23TSg/KBR8q+5om58q4o cTqPMrgDbvy5YVEuRCOAiCSu0hoPVWGcjFFCq+NNOisd2FdajeKVEDSV/HwMW65GnIRz 2PciZWDeaFaWoewLjnd+SFN+L/ZmJf94QRC9OlWpgbPTd+py3OqyhIojuesibwUUb7eE /6bnj3Lywktur1+MmzYuPWB9jcFE8VpScQAWcKeZtIgQb+FlGgRbHkaLxlw+w6n+jVoc ftXw== X-Gm-Message-State: ABuFfojZ1PUUvOC3BK/Nv2q10N3QXCqRhZDcQ2rRSmTH8K1zXF2Kb3OJ pd6nHSdSZyWKzBOBLWpaioQCr2sVGvI= X-Google-Smtp-Source: ACcGV61sgt2d0oFLTpcaL284CJN9GYkgWTcz9hrEiYPZ5KRo/A/eEWo/lu+MeTxLrEIDpJQw98EHPQ== X-Received: by 2002:a63:700e:: with SMTP id l14-v6mr860909pgc.359.1537834726429; Mon, 24 Sep 2018 17:18:46 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id a75-v6sm540713pfa.124.2018.09.24.17.18.39 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:18:42 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , John Johansen , "Serge E. Hallyn" , Paul Moore , Stephen Smalley , Casey Schaufler , Tetsuo Handa , Mimi Zohar , linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, Tetsuo Handa , "Schaufler, Casey" , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 07/29] LSM: Convert security_initcall() into DEFINE_LSM() Date: Mon, 24 Sep 2018 17:18:10 -0700 Message-Id: <20180925001832.18322-8-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Instead of using argument-based initializers, switch to defining the contents of struct lsm_info on a per-LSM basis. This also drops the final use of the now inaccurate "initcall" naming. Cc: John Johansen Cc: James Morris Cc: "Serge E. Hallyn" Cc: Paul Moore Cc: Stephen Smalley Cc: Casey Schaufler Cc: Tetsuo Handa Cc: Mimi Zohar Cc: linux-security-module@vger.kernel.org Cc: selinux@tycho.nsa.gov Signed-off-by: Kees Cook --- include/linux/lsm_hooks.h | 6 ++++-- security/apparmor/lsm.c | 4 +++- security/integrity/iint.c | 4 +++- security/selinux/hooks.c | 4 +++- security/smack/smack_lsm.c | 4 +++- security/tomoyo/tomoyo.c | 4 +++- 6 files changed, 19 insertions(+), 7 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index ad04761e5587..02ec717189f9 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2045,11 +2045,13 @@ struct lsm_info { extern struct lsm_info __start_lsm_info[], __end_lsm_info[]; -#define security_initcall(lsm) \ +#define DEFINE_LSM(lsm) \ static struct lsm_info __lsm_##lsm \ __used __section(.lsm_info.init) \ __aligned(sizeof(unsigned long)) \ - = { .init = lsm, } + = { \ + +#define END_LSM } #ifdef CONFIG_SECURITY_SELINUX_DISABLE /* diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 8b8b70620bbe..7fa7b4464cf4 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1606,4 +1606,6 @@ static int __init apparmor_init(void) return error; } -security_initcall(apparmor_init); +DEFINE_LSM(apparmor) + .init = apparmor_init, +END_LSM; diff --git a/security/integrity/iint.c b/security/integrity/iint.c index 70d21b566955..20e60df929a3 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -175,7 +175,9 @@ static int __init integrity_iintcache_init(void) 0, SLAB_PANIC, init_once); return 0; } -security_initcall(integrity_iintcache_init); +DEFINE_LSM(integrity) + .init = integrity_iintcache_init, +END_LSM; /* diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ad9a9b8e9979..469a90806bc6 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7202,7 +7202,9 @@ void selinux_complete_init(void) /* SELinux requires early initialization in order to label all processes and objects when they are created. */ -security_initcall(selinux_init); +DEFINE_LSM(selinux) + .init = selinux_init, +END_LSM; #if defined(CONFIG_NETFILTER) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 340fc30ad85d..1e1ace718e75 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4882,4 +4882,6 @@ static __init int smack_init(void) * Smack requires early initialization in order to label * all processes and objects when they are created. */ -security_initcall(smack_init); +DEFINE_LSM(smack) + .init = smack_init, +END_LSM; diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 9f932e2d6852..a280d4eab456 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -550,4 +550,6 @@ static int __init tomoyo_init(void) return 0; } -security_initcall(tomoyo_init); +DEFINE_LSM(tomoyo) + .init = tomoyo_init, +END_LSM; From patchwork Tue Sep 25 00:18:11 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613121 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7157D15A6 for ; Tue, 25 Sep 2018 00:20:21 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5C13A29E9D for ; Tue, 25 Sep 2018 00:20:17 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 504C729EE6; Tue, 25 Sep 2018 00:20:17 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8C60529E9D for ; Tue, 25 Sep 2018 00:20:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728963AbeIYGZA (ORCPT ); Tue, 25 Sep 2018 02:25:00 -0400 Received: from mail-pg1-f193.google.com ([209.85.215.193]:44900 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728282AbeIYGXb (ORCPT ); Tue, 25 Sep 2018 02:23:31 -0400 Received: by mail-pg1-f193.google.com with SMTP id g2-v6so2107524pgu.11 for ; Mon, 24 Sep 2018 17:18:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=c4wsyr1NZn56YkQKjbjGcHjAWvwN5RbGtjsBeVsLDNU=; b=bxlBTDbgLZnuGDjbn673OVHYRF9df9W7Kt9ZUSjmDGl8IBbhkXqXfhXZUPKX1IR9a9 wM58T7WMa4Zdl5QYmIQYFEaXzxK5RbTySNQ8ouMoeo+iVZuYzwu5hGQCvT/R77MXAzCp tNbtkA9iR5U7c48VWJ5CC67CtxMoohzURkOio= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=c4wsyr1NZn56YkQKjbjGcHjAWvwN5RbGtjsBeVsLDNU=; b=oiN3d5j0lW7oMKmGBPJziqetcquZVQC71uwsRL2YJWd9hNkj6moDM34xh77HmEu8Kz +cyOFJBINfMmsxLI9tEubhuCsLIhL0SmVufk6ZBQQbccrmkFhZ6sIF/GT0NuBm2QKsdN LU/633/JO5iNlBWSxOhT2/93jwJl79X+QXQt59sOO0BPg0oDMF/1tUVhM0o5Ee8i07TC hnweZmBLjPPGq8xyjNe0UpWVMx2wm7G4+WQwOzxNdW5P2CCGQ238QlRfyh6u0GQXVtsB EiYEEX1507FmXh13XXoNMpzVF0F+aCqIKsj72dWbpy7pF2VBAPfzvRj+5gTZvlBcas5G UmuQ== X-Gm-Message-State: ABuFfoi5CH0t97XasJgK1bEp8AhM43IfyI/2mg5Put/bUoCHLKQQvoTl FJQH/5pLs6WIPWqsweVw95YkPQ== X-Google-Smtp-Source: ACcGV62ClFJfkD5dKmLg1O/5PQBsQ/21CN+/rBLxS+fFLVuAfwqKT3a3XEWOg1f9MkEy+JCioBzO/A== X-Received: by 2002:a63:1245:: with SMTP id 5-v6mr882047pgs.299.1537834725518; Mon, 24 Sep 2018 17:18:45 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id o17-v6sm520730pgc.30.2018.09.24.17.18.39 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:18:42 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , James Morris , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 08/29] LSM: Record LSM name in struct lsm_info Date: Mon, 24 Sep 2018 17:18:11 -0700 Message-Id: <20180925001832.18322-9-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP In preparation for making LSM selections outside of the LSMs, include the name of LSMs in struct lsm_info. Cc: James Morris Signed-off-by: Kees Cook --- include/linux/lsm_hooks.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 02ec717189f9..543636f18152 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2040,16 +2040,20 @@ extern void security_add_hooks(struct security_hook_list *hooks, int count, char *lsm); struct lsm_info { + const char *name; /* Populated automatically. */ int (*init)(void); }; extern struct lsm_info __start_lsm_info[], __end_lsm_info[]; #define DEFINE_LSM(lsm) \ + static const char __lsm_name_##lsm[] __initconst \ + __aligned(1) = #lsm; \ static struct lsm_info __lsm_##lsm \ __used __section(.lsm_info.init) \ __aligned(sizeof(unsigned long)) \ = { \ + .name = __lsm_name_##lsm, \ #define END_LSM } From patchwork Tue Sep 25 00:18:12 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613117 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E2B81161F for ; Tue, 25 Sep 2018 00:20:08 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C7B6F29EE6 for ; Tue, 25 Sep 2018 00:20:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BBA6D29EC0; Tue, 25 Sep 2018 00:20:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5572029EC0 for ; Tue, 25 Sep 2018 00:20:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728697AbeIYGXf (ORCPT ); Tue, 25 Sep 2018 02:23:35 -0400 Received: from mail-pg1-f193.google.com ([209.85.215.193]:40383 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726512AbeIYGXd (ORCPT ); Tue, 25 Sep 2018 02:23:33 -0400 Received: by mail-pg1-f193.google.com with SMTP id n31-v6so3230311pgm.7 for ; Mon, 24 Sep 2018 17:18:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=V3gWF7rko5DL5iZJCCi6Kc67O4L0MbWrE1FLQotdnGU=; b=hkOjT+tkFnNlRszSXPE//GHlDYA0w4AK8opuzxqqgNSPnb4aEo6bx3OTwffySrpN4W jIb9d1mocCjbaiWHTR+rZjDkXeKO0vUU+VHXyYFomeC2mkGsAuU6YmkwUm26MIDQ6jZJ gsOo7QwkxDatM8nWhoWjLBhDOoJ+Kh5j0QS1o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=V3gWF7rko5DL5iZJCCi6Kc67O4L0MbWrE1FLQotdnGU=; b=WQanuYLUctGT/e+8+2M0EXn5POVem93dAaFqcUWefOMt/LdBqv7qaXJsICRX3fdVqf W9nsgN9n3UabqEznWAvhrW5x0vKu3yLS6FcRM2gCOQShxCZXsbNcSsbQrP0yFplLHMjW ydjYWT9utjnDQM+4/jHWylBHcz8ZME8pdYB2j33K5VcDHjjw81JeTduuRgZLeCX7aa9f +Igdapn9GuFxdhew0/S6Yx01XHDYG1S5aDp29sS7fStrEiR4+VB3mpzP/NsojsGMwKfh q1O6EEYRpXut6jBq6eZ0byHHiIuWmVGpHRL/veZX/8LChEkAOTLLAsMeHeaOUXlo5k04 M6Fw== X-Gm-Message-State: ABuFfojDwizTbfrV9Q6dZgS8HUHbitJz1HO5/wQ+blYSdqwSTV8ZbRb+ u3T+noJxIRVFQqYtJ7WIF1lspQ== X-Google-Smtp-Source: ACcGV60qe4zTewbildyI7dwKMAKAlT5Ht4YTAsfkNCS7qLzGRoOJBbDOROzO5coNkv/AJZkjpEC9Kw== X-Received: by 2002:a17:902:44:: with SMTP id 62-v6mr955985pla.181.1537834727371; Mon, 24 Sep 2018 17:18:47 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id v83-v6sm612154pfa.103.2018.09.24.17.18.40 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:18:42 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 09/29] LSM: Provide init debugging infrastructure Date: Mon, 24 Sep 2018 17:18:12 -0700 Message-Id: <20180925001832.18322-10-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Booting with "lsm.debug" will report future details on how LSM ordering decisions are being made. Signed-off-by: Kees Cook Reviewed-by: John Johansen --- .../admin-guide/kernel-parameters.txt | 2 ++ security/security.c | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 9871e649ffef..32d323ee9218 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2274,6 +2274,8 @@ ltpc= [NET] Format: ,, + lsm.debug [SECURITY] Enable LSM initialization debugging output. + machvec= [IA-64] Force the use of a particular machine-vector (machvec) in a generic kernel. Example: machvec=hpzx1_swiotlb diff --git a/security/security.c b/security/security.c index e74f46fba591..ee49b921d750 100644 --- a/security/security.c +++ b/security/security.c @@ -12,6 +12,8 @@ * (at your option) any later version. */ +#define pr_fmt(fmt) "LSM: " fmt + #include #include #include @@ -43,11 +45,19 @@ char *lsm_names; static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = CONFIG_DEFAULT_SECURITY; +static bool debug __initdata; +#define init_debug(...) \ + do { \ + if (debug) \ + pr_info(__VA_ARGS__); \ + } while (0) + static void __init major_lsm_init(void) { struct lsm_info *lsm; for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + init_debug("initializing %s\n", lsm->name); lsm->init(); } } @@ -91,6 +101,14 @@ static int __init choose_lsm(char *str) } __setup("security=", choose_lsm); +/* Enable LSM order debugging. */ +static int __init enable_debug(char *str) +{ + debug = true; + return 1; +} +__setup("lsm.debug", enable_debug); + static bool match_last_lsm(const char *list, const char *lsm) { const char *last; From patchwork Tue Sep 25 00:18:13 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613115 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C209514DA for ; Tue, 25 Sep 2018 00:20:08 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AD57729E9D for ; Tue, 25 Sep 2018 00:20:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A1A0829F53; Tue, 25 Sep 2018 00:20:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D5E9429E9D for ; Tue, 25 Sep 2018 00:20:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728702AbeIYGXg (ORCPT ); Tue, 25 Sep 2018 02:23:36 -0400 Received: from mail-pf1-f195.google.com ([209.85.210.195]:42923 "EHLO mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726157AbeIYGXd (ORCPT ); Tue, 25 Sep 2018 02:23:33 -0400 Received: by mail-pf1-f195.google.com with SMTP id l9-v6so9911058pff.9 for ; Mon, 24 Sep 2018 17:18:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=BZjzkTJ7R/6jxPCxq75uSj94glR2mULSvjebOSVz4jc=; b=BNNbG8uPI9yLlnm9bM2zwXaCF/XBmEWbJjn9xZEAbieTjylutvTpiIRrB09MnUUyPB CHDp1Xjdcd8xVUMX0nGtNfDuCF2qNnyHOiMsfxG5c4sosLkTI51FzQMHbCY/pFTyDjnB +bek+O4WCxBfiN1CLFKM5JlOlTajjUiCxIY/s= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=BZjzkTJ7R/6jxPCxq75uSj94glR2mULSvjebOSVz4jc=; b=ThAtSM96HF9vc08V2Xu0ZB/eXEWfbUxjMwe4lV4ggcMEXXBl2hLHR18kQVjhc0mYq9 jMeIMLXS/3NfvPJKSNZ8mdjVxf8sS5JDoj6Y3dcVsT9qrjlw6sHrVL6DDomgxU6xM3WJ F05V+Yh4oPpBkdZMqw4S8/skIo0N/LlnxXudKD8JEcVTJ4dgkcKvzblqjFtmkpwxE0T5 NM5CBmpSg8CUZFDo4IpgM5Kf81HN09P7N0Pwg2y6NaLZq2CcgSiaedGeAoS/iVy7TF7F rvSrD8gT90pLiJ0Q5y6rUxtPXRhEZU5w5EbsvgCGF2JZCcSCv0rTT+R4C+Fux5LwS6dM sCzg== X-Gm-Message-State: ABuFfojZlDXYLbhObjfCqdqxzdGaGKncx3QDCd+D4MD/dP5O7P+AYdaT bTkrqBZIwz4RHLDJiLipnIiBKA== X-Google-Smtp-Source: ACcGV61weHh6Rkf3lXBEDGSwP3d0UGjz94RyIHcmJKttOEiM08pEeVvVuUzhZO2jIDRZz+1wFEgwjQ== X-Received: by 2002:a63:f941:: with SMTP id q1-v6mr870290pgk.213.1537834728294; Mon, 24 Sep 2018 17:18:48 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id z25-v6sm605485pfl.58.2018.09.24.17.18.40 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:18:42 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 10/29] LSM: Don't ignore initialization failures Date: Mon, 24 Sep 2018 17:18:13 -0700 Message-Id: <20180925001832.18322-11-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP LSM initialization failures have traditionally been ignored. We should at least WARN when something goes wrong. Signed-off-by: Kees Cook Reviewed-by: John Johansen --- security/security.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/security/security.c b/security/security.c index ee49b921d750..1f055936a746 100644 --- a/security/security.c +++ b/security/security.c @@ -55,10 +55,12 @@ static bool debug __initdata; static void __init major_lsm_init(void) { struct lsm_info *lsm; + int ret; for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { init_debug("initializing %s\n", lsm->name); - lsm->init(); + ret = lsm->init(); + WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); } } From patchwork Tue Sep 25 00:18:14 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613113 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C47FD15A6 for ; Tue, 25 Sep 2018 00:20:03 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AE71229E9D for ; Tue, 25 Sep 2018 00:20:03 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A040529EE6; Tue, 25 Sep 2018 00:20:03 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3266B29E9D for ; Tue, 25 Sep 2018 00:20:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726389AbeIYGYr (ORCPT ); Tue, 25 Sep 2018 02:24:47 -0400 Received: from mail-pf1-f195.google.com ([209.85.210.195]:39959 "EHLO mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728704AbeIYGXg (ORCPT ); Tue, 25 Sep 2018 02:23:36 -0400 Received: by mail-pf1-f195.google.com with SMTP id s5-v6so2138175pfj.7 for ; Mon, 24 Sep 2018 17:18:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=2edRK2AZFrxFBXiESIgGjfhpy0zSRex0q+D6nx3+uAQ=; b=Urp1Mw90h+P8UxAPse25ALToKoEoVGmrJLmAMfS65DsUAxVRC1H4HpNVY/p7NpXEqx u8W55R5zikND2gyQf/c+q8WvpnfXrVQkBtQTl5swRnfU2gB/jtqataQi8vMrvL7e72FO cWNBdupazSohrkGtbXwFjWCWa5x+DYeZKZs9w= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=2edRK2AZFrxFBXiESIgGjfhpy0zSRex0q+D6nx3+uAQ=; b=VTk6ABUBR9xuGNb5TtfF1n9XtdzzRvHGAxL4Xv9O85RRM07sMBwKusc4wZEfKvoJYi /Pois9WuOWwDY8A2aRzyTM9AiElmfBN5xQdu8Rb79+jMlbLLgR+qk9HoJhwGG3hqsrpj zvZ1laLZuUAGI2QU3AC+mizPjLK7mzgdhBN47kIJn01B4vmOdgfwK0EAwH6fv6icQBDt w5Oq9NdpG6Q5LJvC68wfeWcgPtP14FlcgCrZVWO+rWUeCM4r8IkUyFyrOU/L9jtFf/+U DnSyn7dKlCV4d1fpsm8J2BO+nIZKuLLgSUfCsiW9zij8IyAQo2MPXxXn3QTrBQehoTmD WL8Q== X-Gm-Message-State: ABuFfojc0DswvuTNJR6otnihg6IkQREXgq+GCfvMubO52iP/JmXK/8tn ZgAEiA0me0Rhybiuy9gHc7/LLQ== X-Google-Smtp-Source: ACcGV62vk1m1eX4nNjkskL5VB4G+9KlGlE6f28Ca6ufe2w21HkY1HPch0o1YcPxOFhnYqvYqiz6hPA== X-Received: by 2002:a63:e04d:: with SMTP id n13-v6mr931731pgj.426.1537834730657; Mon, 24 Sep 2018 17:18:50 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id c78-v6sm505844pfc.188.2018.09.24.17.18.42 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:18:48 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 11/29] LSM: Introduce LSM_FLAG_LEGACY_MAJOR Date: Mon, 24 Sep 2018 17:18:14 -0700 Message-Id: <20180925001832.18322-12-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This adds a flag for the current "major" LSMs to distinguish them when we have a universal method for ordering all LSMs. It's called "legacy" since the distinction of "major" will go away in the blob-sharing world. Signed-off-by: Kees Cook Reviewed-by: John Johansen --- include/linux/lsm_hooks.h | 3 +++ security/apparmor/lsm.c | 1 + security/selinux/hooks.c | 1 + security/smack/smack_lsm.c | 1 + security/tomoyo/tomoyo.c | 1 + 5 files changed, 7 insertions(+) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 543636f18152..5056f7374b3d 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2039,8 +2039,11 @@ extern char *lsm_names; extern void security_add_hooks(struct security_hook_list *hooks, int count, char *lsm); +#define LSM_FLAG_LEGACY_MAJOR BIT(0) + struct lsm_info { const char *name; /* Populated automatically. */ + unsigned long flags; /* Optional: flags describing LSM */ int (*init)(void); }; diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 7fa7b4464cf4..4c5f63e9aeba 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1607,5 +1607,6 @@ static int __init apparmor_init(void) } DEFINE_LSM(apparmor) + .flags = LSM_FLAG_LEGACY_MAJOR, .init = apparmor_init, END_LSM; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 469a90806bc6..615cf6498c0f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7203,6 +7203,7 @@ void selinux_complete_init(void) /* SELinux requires early initialization in order to label all processes and objects when they are created. */ DEFINE_LSM(selinux) + .flags = LSM_FLAG_LEGACY_MAJOR, .init = selinux_init, END_LSM; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 1e1ace718e75..4aef844fc0e2 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4883,5 +4883,6 @@ static __init int smack_init(void) * all processes and objects when they are created. */ DEFINE_LSM(smack) + .flags = LSM_FLAG_LEGACY_MAJOR, .init = smack_init, END_LSM; diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index a280d4eab456..528b6244a648 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -551,5 +551,6 @@ static int __init tomoyo_init(void) } DEFINE_LSM(tomoyo) + .flags = LSM_FLAG_LEGACY_MAJOR, .init = tomoyo_init, END_LSM; From patchwork Tue Sep 25 00:18:15 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613119 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6A9AD15A6 for ; Tue, 25 Sep 2018 00:20:11 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5026D29EC0 for ; Tue, 25 Sep 2018 00:20:07 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 445CA29F53; Tue, 25 Sep 2018 00:20:07 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2D97929EC0 for ; Tue, 25 Sep 2018 00:20:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726512AbeIYGYt (ORCPT ); Tue, 25 Sep 2018 02:24:49 -0400 Received: from mail-pf1-f195.google.com ([209.85.210.195]:44076 "EHLO mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728686AbeIYGXg (ORCPT ); Tue, 25 Sep 2018 02:23:36 -0400 Received: by mail-pf1-f195.google.com with SMTP id k21-v6so9904771pff.11 for ; Mon, 24 Sep 2018 17:18:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=5TLT0f4fZoyxcv+w2j50Rd/UuLy9YsMhEgdbx0R13nc=; b=C14BAFdTW+7Sl9Xf32WFlszgRZuVGPmijY0akk/QJJjWK3lsDRLqrKOSFJBQxkNfl3 jKLsfF8s85yhgC+upLddcaYwJgIGRhsqMOhxzKLpeIfHtbm3KkH0gQRLGzqUGRz9CE6O R9fyZM7+mCvxqO/fIidnQg7SdX2mGfBToaHko= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=5TLT0f4fZoyxcv+w2j50Rd/UuLy9YsMhEgdbx0R13nc=; b=rWscMzdElmnCJs1SIXgo8InWMjuRrMY/RmXP1pMvQDiyksXhFmVXU9m09H/I44St7t IW7uIKPZ2AY0DrcTwyjDSo3Ij0OCGcWkShU6PogHNbt6icSj2b6r5eR5jXibl3fu9wiH 4b4ltLGK33LP6t5XKjUnNHgnp+sfkojvFBMA4q7LbQsXbnyld2UMQw/jkXYVzGox4NRM HBg0TJfGqnfH3lTHPl+PvZeVvNyt2ivgaILRsFb9zCMiNrNyXCmDeK276MrQCCKtvST4 ML8QDU8Hze6S4xVl+Y4BP3ruZMLt3zvvvmjDfTDyFty/BXyENNrSVSfAetwoNEJPQrdm Qs1A== X-Gm-Message-State: ABuFfohTDPPgIdt947II/0M0Gc7dKQU3jsBg1fovdKoS6z2uCq3G+NsB u15kExkErVVxHqlHukZl+omWYQ== X-Google-Smtp-Source: ACcGV60fon6EYbMauix+5f7kIUipMqq0AN0/oDIxWqrisXFl7T1gzUxR/+77R2b3QZVRYtgPMi+o0A== X-Received: by 2002:a63:eb53:: with SMTP id b19-v6mr878850pgk.371.1537834729821; Mon, 24 Sep 2018 17:18:49 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id q26-v6sm607948pfj.127.2018.09.24.17.18.42 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:18:48 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 12/29] LSM: Provide separate ordered initialization Date: Mon, 24 Sep 2018 17:18:15 -0700 Message-Id: <20180925001832.18322-13-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This provides a place for ordered LSMs to be initialized, separate from the "major" LSMs. This is mainly a copy/paste from major_lsm_init() to ordered_lsm_init(), but it will change drastically in later patches. What is not obvious in the patch is that this change moves the integrity LSM from major_lsm_init() into ordered_lsm_init(), since it is not marked with the LSM_FLAG_LEGACY_MAJOR. As it is the only LSM in the "ordered" list, there is no reordering yet created. Signed-off-by: Kees Cook Reviewed-by: John Johansen --- security/security.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/security/security.c b/security/security.c index 1f055936a746..a886a978214a 100644 --- a/security/security.c +++ b/security/security.c @@ -52,12 +52,30 @@ static bool debug __initdata; pr_info(__VA_ARGS__); \ } while (0) +static void __init ordered_lsm_init(void) +{ + struct lsm_info *lsm; + int ret; + + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) != 0) + continue; + + init_debug("initializing %s\n", lsm->name); + ret = lsm->init(); + WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); + } +} + static void __init major_lsm_init(void) { struct lsm_info *lsm; int ret; for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) + continue; + init_debug("initializing %s\n", lsm->name); ret = lsm->init(); WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); @@ -87,6 +105,9 @@ int __init security_init(void) yama_add_hooks(); loadpin_add_hooks(); + /* Load LSMs in specified order. */ + ordered_lsm_init(); + /* * Load all the remaining security modules. */ From patchwork Tue Sep 25 00:18:16 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613109 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5F83F14DA for ; Tue, 25 Sep 2018 00:19:45 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4904429E9D for ; Tue, 25 Sep 2018 00:19:45 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3AEB029EE6; Tue, 25 Sep 2018 00:19:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A936329E9D for ; Tue, 25 Sep 2018 00:19:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728720AbeIYGY2 (ORCPT ); Tue, 25 Sep 2018 02:24:28 -0400 Received: from mail-pg1-f195.google.com ([209.85.215.195]:37518 "EHLO mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728751AbeIYGXi (ORCPT ); Tue, 25 Sep 2018 02:23:38 -0400 Received: by mail-pg1-f195.google.com with SMTP id c10-v6so3124724pgq.4 for ; Mon, 24 Sep 2018 17:18:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=WY5TD/qDFMJ34JwZfEBo6JanVUZJJF8/8bw/2Z0I5Ks=; b=ad+sZQATuWdk6AndQBTL0nmCWHhRmmAZ2jmMc/EyW4mX+Ze5HVxR2eWO0h0An+IRml Iwz0K/cBSAVyyFBwz4I5M1M82ZaJUq3Inw0vJOjp+lfTVIE+KEIrS5HSkpyk+6MtC4yP eY29Qevl9HTQBH9y7wio5SajsLELfKkv9gpPA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=WY5TD/qDFMJ34JwZfEBo6JanVUZJJF8/8bw/2Z0I5Ks=; b=HU2/hYuBKCnJO5zYCD4iLP/F/GKlz+7KCQf1dAReMAVqZztaZ+cJ9yF+2PMuHDBUyo B7nfpg04bSnecJL4FfoXAdF+6+ScCksDcWBldVcAwMvR8PweD3PclayafmkDb8WiW4jt CPRFUxYkDbvWPQnH2IUzpXiJgLS+escog37685U8SQbEVs/Aw1PViq4ULt2YGNjEDf/1 t2VDKBK09HpzwQjP7TT9PXV7zWY0tsExh3YwGGkVOR6LGh0BT+L6IWT0Iofs1cTQnOBC x6UFUC4TDTOY31O2YOTgZupO04EljoSg0UMqGiks23sU1ret+XL/lSsnLP/gbVF17Nf2 E/kg== X-Gm-Message-State: ABuFfoiKAjEFAsIgoVrTU8FecHVquevPkIwjTOhyGpKEF10HajQnZOk3 Q5DdOX2gwSetPGSUKPP3FHDblQ== X-Google-Smtp-Source: ACcGV624e9WPRdNCN+ahEVelzIQg0ROt1JYZfg4RMPCOwoVwx1r3r9cBCAns+VcTzdjfk6l65r0MIA== X-Received: by 2002:a62:8ad1:: with SMTP id o78-v6mr978330pfk.17.1537834732471; Mon, 24 Sep 2018 17:18:52 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id t128-v6sm313731pfc.90.2018.09.24.17.18.42 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:18:48 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 13/29] LoadPin: Rename "enable" to "enforce" Date: Mon, 24 Sep 2018 17:18:16 -0700 Message-Id: <20180925001832.18322-14-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP LoadPin's "enable" setting is really about enforcement, not whether or not the LSM is using LSM hooks. Instead, split this out so that LSM enabling can be logically distinct from whether enforcement is happening (for example, the pinning happens when the LSM is enabled, but the pin is only checked when "enforce" is set). This allows LoadPin to continue to operate sanely in test environments once LSM enable/disable is centrally handled (i.e. we want LoadPin to be enabled separately from its enforcement). Signed-off-by: Kees Cook Reviewed-by: John Johansen --- security/loadpin/Kconfig | 4 ++-- security/loadpin/loadpin.c | 21 +++++++++++---------- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/security/loadpin/Kconfig b/security/loadpin/Kconfig index dd01aa91e521..8653608a3693 100644 --- a/security/loadpin/Kconfig +++ b/security/loadpin/Kconfig @@ -10,10 +10,10 @@ config SECURITY_LOADPIN have a root filesystem backed by a read-only device such as dm-verity or a CDROM. -config SECURITY_LOADPIN_ENABLED +config SECURITY_LOADPIN_ENFORCING bool "Enforce LoadPin at boot" depends on SECURITY_LOADPIN help If selected, LoadPin will enforce pinning at boot. If not selected, it can be enabled at boot with the kernel parameter - "loadpin.enabled=1". + "loadpin.enforcing=1". diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c index 0716af28808a..d8a68a6f6fef 100644 --- a/security/loadpin/loadpin.c +++ b/security/loadpin/loadpin.c @@ -44,7 +44,7 @@ static void report_load(const char *origin, struct file *file, char *operation) kfree(pathname); } -static int enabled = IS_ENABLED(CONFIG_SECURITY_LOADPIN_ENABLED); +static int enforcing = IS_ENABLED(CONFIG_SECURITY_LOADPIN_ENFORCING); static struct super_block *pinned_root; static DEFINE_SPINLOCK(pinned_root_spinlock); @@ -60,8 +60,8 @@ static struct ctl_path loadpin_sysctl_path[] = { static struct ctl_table loadpin_sysctl_table[] = { { - .procname = "enabled", - .data = &enabled, + .procname = "enforcing", + .data = &enforcing, .maxlen = sizeof(int), .mode = 0644, .proc_handler = proc_dointvec_minmax, @@ -97,7 +97,7 @@ static void check_pinning_enforcement(struct super_block *mnt_sb) loadpin_sysctl_table)) pr_notice("sysctl registration failed!\n"); else - pr_info("load pinning can be disabled.\n"); + pr_info("enforcement can be disabled.\n"); } else pr_info("load pinning engaged.\n"); } @@ -128,7 +128,7 @@ static int loadpin_read_file(struct file *file, enum kernel_read_file_id id) /* This handles the older init_module API that has a NULL file. */ if (!file) { - if (!enabled) { + if (!enforcing) { report_load(origin, NULL, "old-api-pinning-ignored"); return 0; } @@ -151,7 +151,7 @@ static int loadpin_read_file(struct file *file, enum kernel_read_file_id id) * Unlock now since it's only pinned_root we care about. * In the worst case, we will (correctly) report pinning * failures before we have announced that pinning is - * enabled. This would be purely cosmetic. + * enforcing. This would be purely cosmetic. */ spin_unlock(&pinned_root_spinlock); check_pinning_enforcement(pinned_root); @@ -161,7 +161,7 @@ static int loadpin_read_file(struct file *file, enum kernel_read_file_id id) } if (IS_ERR_OR_NULL(pinned_root) || load_root != pinned_root) { - if (unlikely(!enabled)) { + if (unlikely(!enforcing)) { report_load(origin, file, "pinning-ignored"); return 0; } @@ -186,10 +186,11 @@ static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = { void __init loadpin_add_hooks(void) { - pr_info("ready to pin (currently %sabled)", enabled ? "en" : "dis"); + pr_info("ready to pin (currently %senforcing)\n", + enforcing ? "" : "not "); security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin"); } /* Should not be mutable after boot, so not listed in sysfs (perm == 0). */ -module_param(enabled, int, 0); -MODULE_PARM_DESC(enabled, "Pin module/firmware loading (default: true)"); +module_param(enforcing, int, 0); +MODULE_PARM_DESC(enforcing, "Enforce module/firmware pinning"); From patchwork Tue Sep 25 00:18:17 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613111 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7E23015A6 for ; Tue, 25 Sep 2018 00:19:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6886829E9D for ; Tue, 25 Sep 2018 00:19:48 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5C1D129EE6; Tue, 25 Sep 2018 00:19:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0329729E9D for ; Tue, 25 Sep 2018 00:19:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728759AbeIYGXi (ORCPT ); Tue, 25 Sep 2018 02:23:38 -0400 Received: from mail-pg1-f193.google.com ([209.85.215.193]:41408 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728728AbeIYGXh (ORCPT ); Tue, 25 Sep 2018 02:23:37 -0400 Received: by mail-pg1-f193.google.com with SMTP id z3-v6so5141824pgv.8 for ; Mon, 24 Sep 2018 17:18:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=lGcBNu5wBxL18dEuz7PbQ+NY4GN1WXf9BVTSBp/Amas=; b=gD7CP7/qxk4zPAjD8lFjJqp5b3bRZEjBAjCCo4wJYbzZ6jajFoJ9+qC5PoG+RKYceb bIAUblel0hC5pn560KFzsTLgfvfxc97fW9EflATBw03g+ltasoXope1QyuX7aQseRlBN AbojF7Y7heVyyZVkkCenzPK4jse/5tgi48jks= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=lGcBNu5wBxL18dEuz7PbQ+NY4GN1WXf9BVTSBp/Amas=; b=XPYh/Vmy8/pHAT/0IFoJCUwotrJf9BPbrMiR9D3rp/pecKKDcC5l0FHadYgtWqauBH ibPuhHfEvNtRwKRyYvkF8rTmJhAEvcl5jCqz8Pe7PWgpk5SfumPQR10cTnLmNZTFSUIu SlojtWfkjHoeWUs1VrnYfi5Sr2nlRXm3fv9miiVnPMxFlb6Z9o7TelbiRNTtcYTpPlb7 +3ByANCkQnoZdsgoUy+Pi2f0AKgzru2xH6M4Eq+Y8S3pRgzAhDrKt3OX1tpf/zPoFOhC WeGDr5hPowLED4X86GsotZ/7M9G6l6B2m2TdmigestfYKX7xt3u5wx59hIIsX7XeoUvr PoiQ== X-Gm-Message-State: ABuFfojeWjwaSUWIakd/qo+OfgWjl5pqjXtWfOVNFRx6sWBokX68x1RN FEsNlBBfymqZPphwQT7QnBNg7A== X-Google-Smtp-Source: ACcGV63JzhUOEzLu1scPJiJRgCBlyCBoCC4xIcRXHPWWjBaN8jFqMnbq6Enj9Rr4zHwuY/7uKXDxMg== X-Received: by 2002:a62:384c:: with SMTP id f73-v6mr1008359pfa.242.1537834731566; Mon, 24 Sep 2018 17:18:51 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id r19-v6sm495971pgo.43.2018.09.24.17.18.42 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:18:48 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 14/29] LSM: Plumb visibility into optional "enabled" state Date: Mon, 24 Sep 2018 17:18:17 -0700 Message-Id: <20180925001832.18322-15-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP In preparation for lifting the "is this LSM enabled?" logic out of the individual LSMs, pass in any special enabled state tracking (as needed for SELinux, AppArmor, and LoadPin). This should be an "int" to include handling any future cases where "enabled" is exposed via sysctl which has no "bool" type. Signed-off-by: Kees Cook Reviewed-by: John Johansen --- include/linux/lsm_hooks.h | 1 + security/apparmor/lsm.c | 5 +++-- security/selinux/hooks.c | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 5056f7374b3d..2a41e8e6f6e5 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2044,6 +2044,7 @@ extern void security_add_hooks(struct security_hook_list *hooks, int count, struct lsm_info { const char *name; /* Populated automatically. */ unsigned long flags; /* Optional: flags describing LSM */ + int *enabled; /* Optional: NULL means enabled. */ int (*init)(void); }; diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 4c5f63e9aeba..d03133a267f2 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1303,8 +1303,8 @@ bool aa_g_paranoid_load = true; module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO); /* Boot time disable flag */ -static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE; -module_param_named(enabled, apparmor_enabled, bool, S_IRUGO); +static int apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE; +module_param_named(enabled, apparmor_enabled, int, 0444); static int __init apparmor_enabled_setup(char *str) { @@ -1608,5 +1608,6 @@ static int __init apparmor_init(void) DEFINE_LSM(apparmor) .flags = LSM_FLAG_LEGACY_MAJOR, + .enabled = &apparmor_enabled, .init = apparmor_init, END_LSM; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 615cf6498c0f..3f999ed98cfd 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7204,6 +7204,7 @@ void selinux_complete_init(void) all processes and objects when they are created. */ DEFINE_LSM(selinux) .flags = LSM_FLAG_LEGACY_MAJOR, + .enabled = &selinux_enabled, .init = selinux_init, END_LSM; From patchwork Tue Sep 25 00:18:18 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613089 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DF88015A6 for ; Tue, 25 Sep 2018 00:18:56 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CB9A329E9D for ; Tue, 25 Sep 2018 00:18:56 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BF81A29EE6; Tue, 25 Sep 2018 00:18:56 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2DA3329E9D for ; Tue, 25 Sep 2018 00:18:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728803AbeIYGXk (ORCPT ); Tue, 25 Sep 2018 02:23:40 -0400 Received: from mail-pf1-f194.google.com ([209.85.210.194]:44081 "EHLO mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728808AbeIYGXj (ORCPT ); Tue, 25 Sep 2018 02:23:39 -0400 Received: by mail-pf1-f194.google.com with SMTP id k21-v6so9904867pff.11 for ; Mon, 24 Sep 2018 17:18:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=pgFNpibwNAtwiWO+o4W2d+eAEj/HAaJpud3NKmHQw+E=; b=T7C8Opx6VNnjvVzCxlQNN9r6sRRiTnI0CoBLWyvjA7d7xey3DUxmugdkdi1lNFhqkE gNAcn2P+7s98L84rFjurmYR5TrqSWxwmiaw/jKajSHO8g9wr8bU/E55oW43pnv/Adbt9 NIJYJkeJRfBI9Uhdv5hd/oDpVQNjmb0PjNQzA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=pgFNpibwNAtwiWO+o4W2d+eAEj/HAaJpud3NKmHQw+E=; b=fUob7VFipLATQ2hc36llDIXC4df8ckAJnFdT5cAGYPBzSbv/wmoCUoh4q7Dpr2LGZw pAMTPzHI6578d8kJVYg9+jscZvu3Bax/okyB5rAIwTpszw7xRK98emryoC5peYMgYalr 4uHIaVOduimyVzHY4/1kgxnOdlr1MOM5EvMUrObYRKG6lpoKGVQzQBcpTY4vo7V8J2X3 NU58EEsM0AurBapH5PUtDiyAN3+G/58XbOpgveyCzWgPFqIychNooGFI3rd1POopfemN gWgOuKtyRuIYdflh8Ak/b1EOXClky5AztFmXkuq4kBxOL02AfIH6KMl8gUurTh1DpRTr Up+g== X-Gm-Message-State: ABuFfogS5E/GLGzGCixCYxwAlJgu2+6MBMyVfI9WM19k9ea0sfQVtW12 F9GUU0Rw7IqcumG7s89KhNJC8Q== X-Google-Smtp-Source: ACcGV61+ILWzXzJ7p18z0i50bkVYUAE7SI3LrlETBZ0uCz2GaNhk1wuexwpSDH+kPhxGHZ01O0xKHQ== X-Received: by 2002:a63:1f0a:: with SMTP id f10-v6mr888903pgf.313.1537834733397; Mon, 24 Sep 2018 17:18:53 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id k3-v6sm903594pfk.60.2018.09.24.17.18.44 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:18:48 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 15/29] LSM: Lift LSM selection out of individual LSMs Date: Mon, 24 Sep 2018 17:18:18 -0700 Message-Id: <20180925001832.18322-16-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP As a prerequisite to adjusting LSM selection logic in the future, this moves the selection logic up out of the individual major LSMs, making their init functions only run when actually enabled. This considers all LSMs enabled by default unless they specified an external "enable" variable. Signed-off-by: Kees Cook Reviewed-by: John Johansen --- include/linux/lsm_hooks.h | 1 - security/apparmor/lsm.c | 6 --- security/security.c | 84 ++++++++++++++++++++++++-------------- security/selinux/hooks.c | 10 ----- security/smack/smack_lsm.c | 3 -- security/tomoyo/tomoyo.c | 2 - 6 files changed, 53 insertions(+), 53 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 2a41e8e6f6e5..95798f212dbf 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2091,7 +2091,6 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, #define __lsm_ro_after_init __ro_after_init #endif /* CONFIG_SECURITY_WRITABLE_HOOKS */ -extern int __init security_module_enable(const char *module); extern void __init capability_add_hooks(void); #ifdef CONFIG_SECURITY_YAMA extern void __init yama_add_hooks(void); diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index d03133a267f2..5399c2f03536 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1542,12 +1542,6 @@ static int __init apparmor_init(void) { int error; - if (!apparmor_enabled || !security_module_enable("apparmor")) { - aa_info_message("AppArmor disabled by boot time parameter"); - apparmor_enabled = false; - return 0; - } - aa_secids_init(); error = aa_setup_dfa_engine(); diff --git a/security/security.c b/security/security.c index a886a978214a..056b36cf6245 100644 --- a/security/security.c +++ b/security/security.c @@ -52,33 +52,78 @@ static bool debug __initdata; pr_info(__VA_ARGS__); \ } while (0) +static bool __init is_enabled(struct lsm_info *lsm) +{ + if (!lsm->enabled || *lsm->enabled) + return true; + + return false; +} + +/* Mark an LSM's enabled flag, if it exists. */ +static void __init set_enabled(struct lsm_info *lsm, bool enabled) +{ + if (lsm->enabled) + *lsm->enabled = enabled; +} + +/* Is an LSM allowed to be initialized? */ +static bool __init lsm_allowed(struct lsm_info *lsm) +{ + /* Skip if the LSM is disabled. */ + if (!is_enabled(lsm)) + return false; + + /* Skip major-specific checks if not a major LSM. */ + if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) + return true; + + /* Disabled if this LSM isn't the chosen one. */ + if (strcmp(lsm->name, chosen_lsm) != 0) + return false; + + return true; +} + +/* Check if LSM should be enabled. Mark any that are disabled. */ +static void __init maybe_initialize_lsm(struct lsm_info *lsm) +{ + int enabled = lsm_allowed(lsm); + + /* Record enablement. */ + set_enabled(lsm, enabled); + + /* If selected, initialize the LSM. */ + if (enabled) { + int ret; + + init_debug("initializing %s\n", lsm->name); + ret = lsm->init(); + WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); + } +} + static void __init ordered_lsm_init(void) { struct lsm_info *lsm; - int ret; for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) != 0) continue; - init_debug("initializing %s\n", lsm->name); - ret = lsm->init(); - WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); + maybe_initialize_lsm(lsm); } } static void __init major_lsm_init(void) { struct lsm_info *lsm; - int ret; for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) continue; - init_debug("initializing %s\n", lsm->name); - ret = lsm->init(); - WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); + maybe_initialize_lsm(lsm); } } @@ -168,29 +213,6 @@ static int lsm_append(char *new, char **result) return 0; } -/** - * security_module_enable - Load given security module on boot ? - * @module: the name of the module - * - * Each LSM must pass this method before registering its own operations - * to avoid security registration races. This method may also be used - * to check if your LSM is currently loaded during kernel initialization. - * - * Returns: - * - * true if: - * - * - The passed LSM is the one chosen by user at boot time, - * - or the passed LSM is configured as the default and the user did not - * choose an alternate LSM at boot time. - * - * Otherwise, return false. - */ -int __init security_module_enable(const char *module) -{ - return !strcmp(module, chosen_lsm); -} - /** * security_add_hooks - Add a modules hooks to the hook lists. * @hooks: the hooks to add diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3f999ed98cfd..409a9252aeb6 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7133,16 +7133,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { static __init int selinux_init(void) { - if (!security_module_enable("selinux")) { - selinux_enabled = 0; - return 0; - } - - if (!selinux_enabled) { - pr_info("SELinux: Disabled at boot.\n"); - return 0; - } - pr_info("SELinux: Initializing.\n"); memset(&selinux_state, 0, sizeof(selinux_state)); diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 4aef844fc0e2..e79fad43a8e3 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4834,9 +4834,6 @@ static __init int smack_init(void) struct cred *cred; struct task_smack *tsp; - if (!security_module_enable("smack")) - return 0; - smack_inode_cache = KMEM_CACHE(inode_smack, 0); if (!smack_inode_cache) return -ENOMEM; diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 528b6244a648..39bb994ebe09 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -540,8 +540,6 @@ static int __init tomoyo_init(void) { struct cred *cred = (struct cred *) current_cred(); - if (!security_module_enable("tomoyo")) - return 0; /* register ourselves with the security framework */ security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo"); printk(KERN_INFO "TOMOYO Linux initialized\n"); From patchwork Tue Sep 25 00:18:19 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613103 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C8B5E14DA for ; Tue, 25 Sep 2018 00:19:27 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B46B529E9D for ; Tue, 25 Sep 2018 00:19:27 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A80D729EE6; Tue, 25 Sep 2018 00:19:27 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 380C329E9D for ; Tue, 25 Sep 2018 00:19:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728847AbeIYGXm (ORCPT ); Tue, 25 Sep 2018 02:23:42 -0400 Received: from mail-pf1-f196.google.com ([209.85.210.196]:37334 "EHLO mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728811AbeIYGXk (ORCPT ); Tue, 25 Sep 2018 02:23:40 -0400 Received: by mail-pf1-f196.google.com with SMTP id c14-v6so114260pfi.4 for ; Mon, 24 Sep 2018 17:18:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=/oQfTEGvfpO3aaeUDyhL3QKvWtsv1A9GazilfvGgv5Y=; b=EzCvaDR/khY1s3OqJfIVV4l2yS9aIoxaHwDltpgQYuBKUUAnFwa6eFifvAbSopZUEh nxMDgE2aAfX7BMTSloXu8x/h4cOc0na7zbdYW2TV1qVXWdnhYVZFEDIbfpOE1ZST6mTK rZjh6suXDIPx6vbWsrVTYfCrGpkCJD4uvrI/k= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=/oQfTEGvfpO3aaeUDyhL3QKvWtsv1A9GazilfvGgv5Y=; b=EkGMi2kf2iWruzCpAwiMgn814LSMg/7/05aqa058c1fGfjJ6CrGbqooyYn5GrXA94v 6ofV3r1BHh+slaU1zIvgcrSgxvaQ77w2pLEH7kwmlW6as9ZVhGc7EXJJNVXvimfRqONg hf8cVjWDvHy2WlN0Wr0AsBwnOE3FvD2+DLZ8gkUygRSxBYbsF1BmLxMS66UgHL0p/FyY unC76EouocaR5kwwT1D82JJIGrmtKI2dELTFrhbTQ27nl0nYpIGIo2dgigDgKEpxwNCL oT2QDlcdcXfDU/F7vl8xWNVEGNesPz7M88isr3esgfOtiz7jZyRExP9uVC74g9lhZ71N 50qw== X-Gm-Message-State: ABuFfohaafzAJr1Cf+wrKsxjUdBZHsm8W1+r9guyz3Xza1LJmYAk1R6x QxLfYAsCA5kSYrdy2nHM4kgm9A== X-Google-Smtp-Source: ACcGV61XWkI7jvMLgtkghMB5HT597VzTM/ppDIrjP2n2mSyP7lazRyZE6y0sWfJY3wUQqUMDr+n4Iw== X-Received: by 2002:a62:ad9:: with SMTP id 86-v6mr974854pfk.57.1537834734311; Mon, 24 Sep 2018 17:18:54 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id c23-v6sm610745pfh.26.2018.09.24.17.18.44 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:18:48 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 16/29] LSM: Prepare for arbitrary LSM enabling Date: Mon, 24 Sep 2018 17:18:19 -0700 Message-Id: <20180925001832.18322-17-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Before now, all the LSMs that did not specify an "enable" variable in their struct lsm_info were considered enabled by default. This prepares to make LSM enabling more explicit. For all LSMs without an explicit "enable" variable, a hard-coded storage location is chosen, and all LSMs without an external "enable" state have their state explicitly set to "enabled". This code appears more complex than it needs to be (comma-separated list parsing and "set" function parameter) because its use will be expanded on in the following patches to provide more explicit enabling. Signed-off-by: Kees Cook Reviewed-by: John Johansen --- security/security.c | 69 ++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 65 insertions(+), 4 deletions(-) diff --git a/security/security.c b/security/security.c index 056b36cf6245..a8107d54b3d3 100644 --- a/security/security.c +++ b/security/security.c @@ -54,17 +54,46 @@ static bool debug __initdata; static bool __init is_enabled(struct lsm_info *lsm) { - if (!lsm->enabled || *lsm->enabled) - return true; + if (WARN_ON(!lsm->enabled)) + return false; - return false; + return *lsm->enabled; } /* Mark an LSM's enabled flag, if it exists. */ -static void __init set_enabled(struct lsm_info *lsm, bool enabled) +static int lsm_enabled_true __initdata = 1; +static int lsm_enabled_false __initdata = 0; + +static void __init default_enabled(struct lsm_info *lsm, bool enabled) { + /* If storage location already set, skip this one. */ if (lsm->enabled) + return; + + /* + * When an LSM hasn't configured an enable variable, we can use + * a hard-coded location for storing the default enabled state. + */ + if (enabled) + lsm->enabled = &lsm_enabled_true; + else + lsm->enabled = &lsm_enabled_false; +} + +static void __init set_enabled(struct lsm_info *lsm, bool enabled) +{ + if (WARN_ON(!lsm->enabled)) + return; + + if (lsm->enabled == &lsm_enabled_true) { + if (!enabled) + lsm->enabled = &lsm_enabled_false; + } else if (lsm->enabled == &lsm_enabled_false) { + if (enabled) + lsm->enabled = &lsm_enabled_true; + } else { *lsm->enabled = enabled; + } } /* Is an LSM allowed to be initialized? */ @@ -127,6 +156,35 @@ static void __init major_lsm_init(void) } } +static void __init parse_lsm_enable(const char *str, + void (*set)(struct lsm_info *, bool), + bool enabled) +{ + char *sep, *name, *next; + + if (!str) + return; + + sep = kstrdup(str, GFP_KERNEL); + next = sep; + while ((name = strsep(&next, ",")) != NULL) { + struct lsm_info *lsm; + + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + if (strcmp(name, "all") == 0 || + strcmp(name, lsm->name) == 0) + set(lsm, enabled); + } + } + kfree(sep); +} + +static void __init prepare_lsm_enable(void) +{ + /* Prepare defaults. */ + parse_lsm_enable("all", default_enabled, true); +} + /** * security_init - initializes the security framework * @@ -143,6 +201,9 @@ int __init security_init(void) i++) INIT_HLIST_HEAD(&list[i]); + /* Figure out which LSMs are enabled and disabled. */ + prepare_lsm_enable(); + /* * Load minor LSMs, with the capability module always first. */ From patchwork Tue Sep 25 00:18:20 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613143 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2C98915A6 for ; Tue, 25 Sep 2018 00:26:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1A61229F00 for ; Tue, 25 Sep 2018 00:26:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0EAF029F85; Tue, 25 Sep 2018 00:26:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A7F1429F00 for ; Tue, 25 Sep 2018 00:26:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727587AbeIYGaH (ORCPT ); Tue, 25 Sep 2018 02:30:07 -0400 Received: from mail-pf1-f193.google.com ([209.85.210.193]:33207 "EHLO mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727428AbeIYGaG (ORCPT ); Tue, 25 Sep 2018 02:30:06 -0400 Received: by mail-pf1-f193.google.com with SMTP id d4-v6so9940262pfn.0 for ; Mon, 24 Sep 2018 17:25:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=rFbalDbpQVU7OjIRnEIJaOE4IoeEsoACg+mJq3logWg=; b=Rb1e51WfosNEyxho7niYo0jwgJozShnawgN0RvO94pmSSasn3ejlf9zF4xjlXWH+MO vAB+tb8PWXeSsckb73K6klVcoIg12gBRKyhNcH9TtfXRerFF28YW66ZYCE5/uOaeVB+R UqiWF71G8MavAmfFWHbsH00ci8WC5tgkle7yI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=rFbalDbpQVU7OjIRnEIJaOE4IoeEsoACg+mJq3logWg=; b=sPpf37dmRhVjz16Jk2VLVMwYmXJtNMGiXoDN+hiQGF1MFiL1r3nmfeurMu1aIQt+wR XgiNNUPUX8L6JGo/58yEPwVbHzDfzWeOVUDBBi270UsuQRTtT7QsJ/gjJaEGePR035PF BmSYyGlkgm+C+P5wI763TFASEBpAn9D0f9wXwJh9foefR8D9Wp151oMibhi6dWhXiAGG 8mrvhUKtDT6zqH3IeTRhns4FIMbEeotjf2Ggt65FXdt/Sp1ORrcXP2sujenMBUPzUag7 Z7FSh6If53iyjnUMpwhgJKTeBx+OjAZDXHiJ+HY6hTxRCYglyapP8V4747oNsocKCTfw h+7w== X-Gm-Message-State: ABuFfoj6TrllaJWEk8sjkmvjPsF2GlYTDhqO7WbDd/fTfLdAqAU8u/eL aNzFlcjoJojJZQGLw3brXP9bOA== X-Google-Smtp-Source: ACcGV60ICBAe/yeo6RFqvOeHMxrBoCezDuR3lZYuExK++14x98wfiinzSx1BGg33GwSYslDVoPhbmg== X-Received: by 2002:a63:68c7:: with SMTP id d190-v6mr915939pgc.135.1537835118165; Mon, 24 Sep 2018 17:25:18 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id 3-v6sm683001pfq.10.2018.09.24.17.25.15 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:25:16 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 17/29] LSM: Introduce CONFIG_LSM_ENABLE Date: Mon, 24 Sep 2018 17:18:20 -0700 Message-Id: <20180925001832.18322-18-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP To provide a set of default-enabled LSMs at boot, this introduces the new CONFIG_LSM_ENABLE. A value of "all" means all builtin LSMs are enabled by default. Any unlisted LSMs will be implicitly disabled (excepting those with LSM-specific CONFIGs for enabling/disabling). The behavior of the LSM-specific CONFIGs for SELinux are AppArmor unchanged: the default-enabled state for those LSMs remains controlled through their LSM-specific "enable" CONFIGs. Signed-off-by: Kees Cook --- include/linux/lsm_hooks.h | 2 +- security/Kconfig | 8 ++++++++ security/security.c | 4 +++- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 95798f212dbf..ab23f1bc6d77 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2044,7 +2044,7 @@ extern void security_add_hooks(struct security_hook_list *hooks, int count, struct lsm_info { const char *name; /* Populated automatically. */ unsigned long flags; /* Optional: flags describing LSM */ - int *enabled; /* Optional: NULL means enabled. */ + int *enabled; /* Optional: NULL checks CONFIG_LSM_ENABLE */ int (*init)(void); }; diff --git a/security/Kconfig b/security/Kconfig index 27d8b2688f75..71306b046270 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -276,5 +276,13 @@ config DEFAULT_SECURITY default "apparmor" if DEFAULT_SECURITY_APPARMOR default "" if DEFAULT_SECURITY_DAC +config LSM_ENABLE + string "LSMs to enable at boot time" + default "all" + help + A comma-separate list of LSMs to enable by default at boot. The + default is "all", to enable all LSM modules at boot. Any LSMs + not listed here will be disabled by default. + endmenu diff --git a/security/security.c b/security/security.c index a8107d54b3d3..7ecb9879a863 100644 --- a/security/security.c +++ b/security/security.c @@ -45,6 +45,8 @@ char *lsm_names; static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = CONFIG_DEFAULT_SECURITY; +static __initconst const char * const builtin_lsm_enable = CONFIG_LSM_ENABLE; + static bool debug __initdata; #define init_debug(...) \ do { \ @@ -182,7 +184,7 @@ static void __init parse_lsm_enable(const char *str, static void __init prepare_lsm_enable(void) { /* Prepare defaults. */ - parse_lsm_enable("all", default_enabled, true); + parse_lsm_enable(builtin_lsm_enable, default_enabled, true); } /** From patchwork Tue Sep 25 00:18:21 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613141 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D1696112B for ; Tue, 25 Sep 2018 00:25:50 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BC3EA29F00 for ; Tue, 25 Sep 2018 00:25:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id AC6F229F85; Tue, 25 Sep 2018 00:25:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3F14D29F00 for ; Tue, 25 Sep 2018 00:25:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728263AbeIYGaJ (ORCPT ); Tue, 25 Sep 2018 02:30:09 -0400 Received: from mail-pf1-f193.google.com ([209.85.210.193]:35779 "EHLO mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728177AbeIYGaI (ORCPT ); Tue, 25 Sep 2018 02:30:08 -0400 Received: by mail-pf1-f193.google.com with SMTP id p12-v6so9934041pfh.2 for ; Mon, 24 Sep 2018 17:25:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=D0/WPo99XAf06GH3nkcVhpC3IX4g7QPK+MCrVXTlZy4=; b=l/A2+cibrEfz7/yZEb4l5SyjQtkMpfWilXj0S0KhfH7psuUr+D8C5fgnyqoZxpLoLU ptaUqnRFfIvmNXOUUZFN+PIahQNlrTriix08jtczB6us5/dDd5DQIt4BjHISq1NsTyEH zrc93oH9OdNxmi6zydOWdSnZjCCoZ9X+OQAFQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=D0/WPo99XAf06GH3nkcVhpC3IX4g7QPK+MCrVXTlZy4=; b=ZYg6h0nt3OFVMnZ06MYkSfTgrhPBRbOxCo0DzY+e1Ogh20xdSo0VZAT4jLlZ991eQ5 FqzD1BJCjrfq9viLwySM1UehhrRsypUKK5QUrZzWtL759WkYVlWZmVoF7uceboPAE1hN ftoT3SJSnFl5YkN7lVrXBGhh4eNfldKROB8s/1DM0hsxMXkUPtHINAEVgWTJL++t2CKh 81ODhSZ4gozTi+6vQ85ryCIiXo+Wbz8XZJ5aiTvE0rD1U1dzy34MC9sUrol1/AwSIvVK cL5ntgx845D/15HrzBUnkZbzxHzBVWe0nVkpTrNQbXsg4ivFm4C5pY5wnhrZRnv5tZEl Szrg== X-Gm-Message-State: ABuFfogMBFEtXGhrRTqGVyxESSB8FNobR0AF6PhDvZb7MeuWVRg5StHZ O69Rq0pYtPLu+xT8/fYvsbfnjw== X-Google-Smtp-Source: ACcGV60AjhFfXXFGP+3F6NZZm8H4asXFHmRSD99uzdbECeeJ+nXSyCQoStdobAYuJqYJmJ0tSJdUXA== X-Received: by 2002:a63:115f:: with SMTP id 31-v6mr933261pgr.53.1537835120797; Mon, 24 Sep 2018 17:25:20 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id i185-v6sm536664pfe.140.2018.09.24.17.25.16 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:25:16 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 18/29] LSM: Introduce lsm.enable= and lsm.disable= Date: Mon, 24 Sep 2018 17:18:21 -0700 Message-Id: <20180925001832.18322-19-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This introduces the "lsm.enable=..." and "lsm.disable=..." boot parameters which each can contain a comma-separated list of LSMs to enable or disable, respectively. The string "all" matches all LSMs. This has very similar functionality to the existing per-LSM enable handling ("apparmor.enabled=...", etc), but provides a centralized place to perform the changes. These parameters take precedent over any LSM-specific boot parameters. Disabling an LSM means it will not be considered when performing initializations. Enabling an LSM means either undoing a previous LSM-specific boot parameter disabling or a undoing a default-disabled CONFIG setting. For example: "lsm.disable=apparmor apparmor.enabled=1" will result in AppArmor being disabled. "selinux.enabled=0 lsm.enable=selinux" will result in SELinux being enabled. Signed-off-by: Kees Cook --- .../admin-guide/kernel-parameters.txt | 12 ++++++++++ security/Kconfig | 4 +++- security/security.c | 22 +++++++++++++++++++ 3 files changed, 37 insertions(+), 1 deletion(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 32d323ee9218..67c90985d2b8 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2276,6 +2276,18 @@ lsm.debug [SECURITY] Enable LSM initialization debugging output. + lsm.disable=lsm1,...,lsmN + [SECURITY] Comma-separated list of LSMs to disable + at boot time. This overrides "lsm.enable=", + CONFIG_LSM_ENABLE, and any per-LSM CONFIGs and boot + parameters. + + lsm.enable=lsm1,...,lsmN + [SECURITY] Comma-separated list of LSMs to enable + at boot time. This overrides any omissions from + CONFIG_LSM_ENABLE, and any per-LSM CONFIGs and + boot parameters. + machvec= [IA-64] Force the use of a particular machine-vector (machvec) in a generic kernel. Example: machvec=hpzx1_swiotlb diff --git a/security/Kconfig b/security/Kconfig index 71306b046270..1a82a006cc62 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -282,7 +282,9 @@ config LSM_ENABLE help A comma-separate list of LSMs to enable by default at boot. The default is "all", to enable all LSM modules at boot. Any LSMs - not listed here will be disabled by default. + not listed here will be disabled by default. This can be + changed with the "lsm.enable=" and "lsm.disable=" boot + parameters. endmenu diff --git a/security/security.c b/security/security.c index 7ecb9879a863..456a3f73bc36 100644 --- a/security/security.c +++ b/security/security.c @@ -44,6 +44,8 @@ char *lsm_names; /* Boot-time LSM user choice */ static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = CONFIG_DEFAULT_SECURITY; +static __initdata const char *chosen_lsm_enable; +static __initdata const char *chosen_lsm_disable; static __initconst const char * const builtin_lsm_enable = CONFIG_LSM_ENABLE; @@ -185,6 +187,10 @@ static void __init prepare_lsm_enable(void) { /* Prepare defaults. */ parse_lsm_enable(builtin_lsm_enable, default_enabled, true); + + /* Process "lsm.enable=" and "lsm.disable=", if given. */ + parse_lsm_enable(chosen_lsm_enable, set_enabled, true); + parse_lsm_enable(chosen_lsm_disable, set_enabled, false); } /** @@ -240,6 +246,22 @@ static int __init enable_debug(char *str) } __setup("lsm.debug", enable_debug); +/* Explicitly enable a list of LSMs. */ +static int __init enable_lsm(char *str) +{ + chosen_lsm_enable = str; + return 1; +} +__setup("lsm.enable=", enable_lsm); + +/* Explicitly disable a list of LSMs. */ +static int __init disable_lsm(char *str) +{ + chosen_lsm_disable = str; + return 1; +} +__setup("lsm.disable=", disable_lsm); + static bool match_last_lsm(const char *list, const char *lsm) { const char *last; From patchwork Tue Sep 25 00:18:22 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613145 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 57AB015A6 for ; Tue, 25 Sep 2018 00:26:09 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 467E229F00 for ; Tue, 25 Sep 2018 00:26:09 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3AE6129F85; Tue, 25 Sep 2018 00:26:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D926829F00 for ; Tue, 25 Sep 2018 00:26:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726512AbeIYGay (ORCPT ); Tue, 25 Sep 2018 02:30:54 -0400 Received: from mail-pg1-f196.google.com ([209.85.215.196]:40949 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727453AbeIYGaG (ORCPT ); Tue, 25 Sep 2018 02:30:06 -0400 Received: by mail-pg1-f196.google.com with SMTP id n31-v6so3239602pgm.7 for ; Mon, 24 Sep 2018 17:25:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=dcnxUGdM4FO17eHYuUfeuK9JPR89ogJMNeQRUezwAjU=; b=AQGOY/Zdh0wpfhlnTaQch+gsKeEk2rOe2ektyYESqmESf62tM1EDmSsoYn5JLLhMdK 9JTT3o7hxp+V3R+MkaEoprJW2RdJp6xsOqZiUW+kkUTc+7yXMlxIUNZ99LlmGuyRWG1I BZNXLBlfyMJjcLD/IL+KADS6U0NNut/sGwkw8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=dcnxUGdM4FO17eHYuUfeuK9JPR89ogJMNeQRUezwAjU=; b=oK0m/GnVscwkZBsEquCEQo0pcnP7OaSJ1mG2AqooM6sRl4X0VcTdaaM5AHGRdmyiLx TXyT4eW2zHK0pOgsIgfw2QK3ltCBUq1DHQuJ1dcKinC6LdXA2MuT4hqQ3TY4TDJs8O6j ETSMxsFpt2v2O0xuNgpEL8tgCfs6jl3f/ZnYCXMhfS18HYPkEUchYirz+6ociRKgjtlq nLX5vafERIcVjpk6rZNqVcYf9e7zwaASPCWQx9GdHlTZ2UVF6plk7yqDD3DbHaCD0Umg KGRaZlAof2QloVNUmBeayyoXSJF7d8m9ur66EWCwW7PWmw9auMLbFYCDzA4KHq+oDIu8 Cobg== X-Gm-Message-State: ABuFfohPKTXUruQPadR60IqLy+u7RP20o9ZJzEriYhoTXHva+ldG9382 eLf9FrgmvcOk+bx3uJjDjRRrkw== X-Google-Smtp-Source: ACcGV61HtB92YOXRXmkR76dq/+KIjtfUVl08OEqnkPLog6Kn7C2bYotCF2Fw84bvv1/Jn61is2xzkQ== X-Received: by 2002:a63:e918:: with SMTP id i24-v6mr992063pgh.64.1537835119019; Mon, 24 Sep 2018 17:25:19 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id g15-v6sm562058pfg.98.2018.09.24.17.25.15 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:25:16 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 19/29] LSM: Prepare for reorganizing "security=" logic Date: Mon, 24 Sep 2018 17:18:22 -0700 Message-Id: <20180925001832.18322-20-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This moves the string handling for "security=" boot parameter into a stored pointer instead of a string duplicate. This will allow easier handling of the string when switching logic to use the coming enable/disable infrastructure. Signed-off-by: Kees Cook Reviewed-by: John Johansen --- security/security.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/security/security.c b/security/security.c index 456a3f73bc36..e325fcc41f00 100644 --- a/security/security.c +++ b/security/security.c @@ -34,18 +34,14 @@ #define MAX_LSM_EVM_XATTR 2 -/* Maximum number of letters for an LSM name string */ -#define SECURITY_NAME_MAX 10 - struct security_hook_heads security_hook_heads __lsm_ro_after_init; static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain); char *lsm_names; /* Boot-time LSM user choice */ -static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = - CONFIG_DEFAULT_SECURITY; static __initdata const char *chosen_lsm_enable; static __initdata const char *chosen_lsm_disable; +static __initdata const char *chosen_major_lsm; static __initconst const char * const builtin_lsm_enable = CONFIG_LSM_ENABLE; @@ -112,7 +108,7 @@ static bool __init lsm_allowed(struct lsm_info *lsm) return true; /* Disabled if this LSM isn't the chosen one. */ - if (strcmp(lsm->name, chosen_lsm) != 0) + if (strcmp(lsm->name, chosen_major_lsm) != 0) return false; return true; @@ -191,6 +187,9 @@ static void __init prepare_lsm_enable(void) /* Process "lsm.enable=" and "lsm.disable=", if given. */ parse_lsm_enable(chosen_lsm_enable, set_enabled, true); parse_lsm_enable(chosen_lsm_disable, set_enabled, false); + + if (!chosen_major_lsm) + chosen_major_lsm = CONFIG_DEFAULT_SECURITY; } /** @@ -231,12 +230,12 @@ int __init security_init(void) } /* Save user chosen LSM */ -static int __init choose_lsm(char *str) +static int __init choose_major_lsm(char *str) { - strncpy(chosen_lsm, str, SECURITY_NAME_MAX); + chosen_major_lsm = str; return 1; } -__setup("security=", choose_lsm); +__setup("security=", choose_major_lsm); /* Enable LSM order debugging. */ static int __init enable_debug(char *str) From patchwork Tue Sep 25 00:18:23 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613137 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A15AD17D2 for ; Tue, 25 Sep 2018 00:25:27 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8E52729F00 for ; Tue, 25 Sep 2018 00:25:27 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7C58429FB6; Tue, 25 Sep 2018 00:25:27 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 284E829F53 for ; Tue, 25 Sep 2018 00:25:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728328AbeIYGaN (ORCPT ); Tue, 25 Sep 2018 02:30:13 -0400 Received: from mail-pf1-f193.google.com ([209.85.210.193]:33214 "EHLO mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728153AbeIYGaK (ORCPT ); Tue, 25 Sep 2018 02:30:10 -0400 Received: by mail-pf1-f193.google.com with SMTP id d4-v6so9940356pfn.0 for ; Mon, 24 Sep 2018 17:25:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=na71TelZGQ6m9GWmFesTEQd4UFPGStcPcyELJo/B8RM=; b=WT0YX7zWHH6WAFUpHrLCf6WlHBYsAnIO+a8HgEj8X2cHErLyMHE4+4lURbnqC9RSWP OAI/QXRK7mPFoG6493qlcbXboTjzJt9RnSjNs6ynisvoaqJDem5XEBsJFacRmRblesy5 zO8Y4O737dUtgCyCSBjo26tzCLDAdhdaVZOI4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=na71TelZGQ6m9GWmFesTEQd4UFPGStcPcyELJo/B8RM=; b=CQWrcMviTBfvOpuT4Z8dw8YILbvGgSK3Y5nGyry0bavaW+KEcZnwEUMKOrUs8Je9X2 bWYFx5KX2YzbBqlVzHgllSJHRWj7HyBCnd5s9HGCtQquzo7WqyvIk4OS/EHQ6pDnl60W hA9g7iZfFzV7/DsRCNmaVeAH0gcRixIdIUOo6kcftpXvFTl33KIG075btuNMGKrrYtyc pEFQtFCwC+ltsWFvaHzksoraBKtwWtGg3dzG+bxbo0AcpHhbUTmL0hF/wYfRgeDrcK5L HsejcrikPiAJ2IXtCTtK4FhBEmTxxGO0McnIFcKlfOSXbc69aSGCb4upwDC7d/upZcSD kyXQ== X-Gm-Message-State: ABuFfoj9KH8GtiGNngw16EJBzqBt+JlyzosNfF7MuaHdZ9TQaZGhIGhN 7ghqxbizB4pm3PamISyngOHl9w== X-Google-Smtp-Source: ACcGV63fiF8Usp5VDSHevpjSdzhvKONFzj5aTYfHcBlazhkjuEJWBw3JJudQ4OVRL0TAURsxjxz1Aw== X-Received: by 2002:a65:608b:: with SMTP id t11-v6mr936718pgu.259.1537835121914; Mon, 24 Sep 2018 17:25:21 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id v190-v6sm547521pgb.16.2018.09.24.17.25.17 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:25:20 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 20/29] LSM: Refactor "security=" in terms of enable/disable Date: Mon, 24 Sep 2018 17:18:23 -0700 Message-Id: <20180925001832.18322-21-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP For what are marked as the Legacy Major LSMs, make them effectively exclusive when selected on the "security=" boot parameter, to handle the future case of when a previously major LSMs become non-exclusive (e.g. when TOMOYO starts blob-sharing). Signed-off-by: Kees Cook --- security/security.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/security/security.c b/security/security.c index e325fcc41f00..a98549b334af 100644 --- a/security/security.c +++ b/security/security.c @@ -103,14 +103,6 @@ static bool __init lsm_allowed(struct lsm_info *lsm) if (!is_enabled(lsm)) return false; - /* Skip major-specific checks if not a major LSM. */ - if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) - return true; - - /* Disabled if this LSM isn't the chosen one. */ - if (strcmp(lsm->name, chosen_major_lsm) != 0) - return false; - return true; } @@ -188,8 +180,24 @@ static void __init prepare_lsm_enable(void) parse_lsm_enable(chosen_lsm_enable, set_enabled, true); parse_lsm_enable(chosen_lsm_disable, set_enabled, false); + /* Process "security=", if given. */ if (!chosen_major_lsm) chosen_major_lsm = CONFIG_DEFAULT_SECURITY; + if (chosen_major_lsm) { + struct lsm_info *lsm; + + /* + * To match the original "security=" behavior, this + * explicitly does NOT fallback to another Legacy Major + * if the selected one was separately disabled: disable + * all non-matching Legacy Major LSMs. + */ + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) && + strcmp(lsm->name, chosen_major_lsm) != 0) + set_enabled(lsm, false); + } + } } /** From patchwork Tue Sep 25 00:18:24 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613091 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BEE7314DA for ; Tue, 25 Sep 2018 00:19:07 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AAE9F29E9D for ; Tue, 25 Sep 2018 00:19:07 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9EC6C29EE6; Tue, 25 Sep 2018 00:19:07 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 301C029E9D for ; Tue, 25 Sep 2018 00:19:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728907AbeIYGXq (ORCPT ); Tue, 25 Sep 2018 02:23:46 -0400 Received: from mail-pf1-f195.google.com ([209.85.210.195]:35239 "EHLO mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728897AbeIYGXp (ORCPT ); Tue, 25 Sep 2018 02:23:45 -0400 Received: by mail-pf1-f195.google.com with SMTP id p12-v6so9924814pfh.2 for ; Mon, 24 Sep 2018 17:18:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=FSgldt3bPHeF5iFdvu16EuWQiqi5PthEyk829crGPAE=; b=Qm3PiI0i/KOlH8XTHdlAltE6Dume1a//MCmxmyktr55LnxqVFXPvoHg1vr7LDR1vAC rignWwTdniVYmTUOOqgUsC5EKEKq62QzBD4ADvRDK2nj54evH8LeFHNrm8wZ4Kb1K/iT d2JPmCit2ACMlPeIAIXmDigtIfhdqkGFfPBnc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=FSgldt3bPHeF5iFdvu16EuWQiqi5PthEyk829crGPAE=; b=BsC3lQ3zWRoT+sbHBghyUBymjDhMZt5x1n4hEt3c0XLOs08gKYoS7oin2M9CCuEcYU abo4KagXOdIDnVLOonwga2WO2yuPSwdZlIE4xEFZeVvaCyco9n0k7jsyP5W5h0CjnkFR EZ8bCSmudjz8uG1oRSFGUJ3cIEVWv3aFGLoAcEgpUMerI0BOudPzAReKbdu63kitD7Zf zYc7MaiKVIeZMTEtSZ9YJ+/T3ROXIoe3QtbbhnK0R1ItLOVAx1m0ttp/QCxrXnI3gdFF 63f1VglO+JQ7bCeGnpdrqUDaYWG+5nITCn31UlptOUdKiAHlSXn3feqLILFRBCg4XSX9 AU7w== X-Gm-Message-State: ABuFfojAmvolx5n8L9431a7Mel0/IipwPLto6Awp8BV/FT3TuVW+wLaz pDo0wCc6oDf5jNgPSB1IHqeprg== X-Google-Smtp-Source: ACcGV61c14UKfKbzpEIBsQVKW3LwKSWYCDC7uG4VRfY0+u6lXN6scvnXZFQJFxGLq27t88JL3X5VSQ== X-Received: by 2002:a17:902:c85:: with SMTP id 5-v6mr948803plt.141.1537834739008; Mon, 24 Sep 2018 17:18:59 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id u184-v6sm676442pgd.27.2018.09.24.17.18.46 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:18:50 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 21/29] LSM: Build ordered list of ordered LSMs for init Date: Mon, 24 Sep 2018 17:18:24 -0700 Message-Id: <20180925001832.18322-22-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This constructs a list of ordered LSMs to initialize, using a hard-coded list of only "integrity": minor LSMs continue to have direct hook calls, and major LSMs continue to initialize separately. Signed-off-by: Kees Cook --- security/security.c | 59 +++++++++++++++++++++++++++++++++++++++------ 1 file changed, 52 insertions(+), 7 deletions(-) diff --git a/security/security.c b/security/security.c index a98549b334af..ef1ced0a3a50 100644 --- a/security/security.c +++ b/security/security.c @@ -34,6 +34,9 @@ #define MAX_LSM_EVM_XATTR 2 +/* How many LSMs were built into the kernel? */ +#define LSM_COUNT (__end_lsm_info - __start_lsm_info) + struct security_hook_heads security_hook_heads __lsm_ro_after_init; static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain); @@ -45,6 +48,9 @@ static __initdata const char *chosen_major_lsm; static __initconst const char * const builtin_lsm_enable = CONFIG_LSM_ENABLE; +/* Ordered list of LSMs to initialize. */ +static __initdata struct lsm_info **ordered_lsms; + static bool debug __initdata; #define init_debug(...) \ do { \ @@ -96,6 +102,45 @@ static void __init set_enabled(struct lsm_info *lsm, bool enabled) } } +/* Is an LSM already listed in the ordered LSMs list? */ +static bool __init exists_ordered_lsm(struct lsm_info *lsm) +{ + struct lsm_info **check; + + for (check = ordered_lsms; *check; check++) + if (*check == lsm) + return true; + + return false; +} + +/* Append an LSM to the list of ordered LSMs to initialize. */ +static int last_lsm __initdata; +static void __init append_ordered_lsm(struct lsm_info *lsm, const char *from) +{ + /* Ignore duplicate selections. */ + if (exists_ordered_lsm(lsm)) + return; + + if (WARN(last_lsm == LSM_COUNT, "%s: out of LSM slots!?\n", from)) + return; + + ordered_lsms[last_lsm++] = lsm; + init_debug("%s ordering: %s (%sabled)\n", from, lsm->name, + is_enabled(lsm) ? "en" : "dis"); +} + +/* Populate ordered LSMs list from hard-coded list of LSMs. */ +static void __init prepare_lsm_order(void) +{ + struct lsm_info *lsm; + + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + if (strcmp(lsm->name, "integrity") == 0) + append_ordered_lsm(lsm, "builtin"); + } +} + /* Is an LSM allowed to be initialized? */ static bool __init lsm_allowed(struct lsm_info *lsm) { @@ -126,14 +171,10 @@ static void __init maybe_initialize_lsm(struct lsm_info *lsm) static void __init ordered_lsm_init(void) { - struct lsm_info *lsm; - - for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { - if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) != 0) - continue; + struct lsm_info **lsm; - maybe_initialize_lsm(lsm); - } + for (lsm = ordered_lsms; *lsm; lsm++) + maybe_initialize_lsm(*lsm); } static void __init major_lsm_init(void) @@ -215,6 +256,8 @@ int __init security_init(void) for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct hlist_head); i++) INIT_HLIST_HEAD(&list[i]); + ordered_lsms = kcalloc(LSM_COUNT + 1, sizeof(*ordered_lsms), + GFP_KERNEL); /* Figure out which LSMs are enabled and disabled. */ prepare_lsm_enable(); @@ -227,6 +270,7 @@ int __init security_init(void) loadpin_add_hooks(); /* Load LSMs in specified order. */ + prepare_lsm_order(); ordered_lsm_init(); /* @@ -234,6 +278,7 @@ int __init security_init(void) */ major_lsm_init(); + kfree(ordered_lsms); return 0; } From patchwork Tue Sep 25 00:18:25 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613135 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 872F9112B for ; Tue, 25 Sep 2018 00:25:27 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 74F7329F00 for ; Tue, 25 Sep 2018 00:25:27 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6942829F94; Tue, 25 Sep 2018 00:25:27 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 06B9229F00 for ; Tue, 25 Sep 2018 00:25:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728195AbeIYGaN (ORCPT ); Tue, 25 Sep 2018 02:30:13 -0400 Received: from mail-pg1-f196.google.com ([209.85.215.196]:39642 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728328AbeIYGaK (ORCPT ); Tue, 25 Sep 2018 02:30:10 -0400 Received: by mail-pg1-f196.google.com with SMTP id 85-v6so7053952pge.6 for ; Mon, 24 Sep 2018 17:25:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=OmKzimyohhf+zr/naGxorwDbJPy1b1KsUqv0GqD4+8g=; b=Mbq8PKJrbJf8ZmYeZ3v1vr3hrS7QR/UloEPJJy62xaaRSqyhqR35KPqeOStWYSIm4b 90LegfQCpHdGAbEJxGXndnXOslYWoGmHB87W3qyr+Sfh0tq9/T7OZuG9OpWFQ/E58/qX 6WsNIfQuyi+8VRbo9Ipi8NY/jRyj5fne5lrHg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=OmKzimyohhf+zr/naGxorwDbJPy1b1KsUqv0GqD4+8g=; b=Er+i3HEGpAB6HKur9mg/0NvVlejLGYjIzCYzY2CQFsOGmMDv/KImryNO7yJgqSckTu Nv0l93btStRPIZSEEkpbCAdDulvsYE8aX52wWz5qz5GDaMQDa+FZkhaE+/fY9axmM7lu 8lfFuMmQ3+Whp3sCqqmLZcLkJSeeYaxidkyTxwH9YnB13KqFBEo8bEEAnQz9cuINSjzB 4o45Io/QCnNmkXJXNecv4ALRJtij1iGwuq0HWg9qo9KZmTqFlu6Fo6JBzcLHdb9mVEGt dyQr3ejFDe7rWCVkSRVdsgBR0HycN+CCEP7tYzrwCLgkObJUflCyos9qZhYDO5yPyWyG 4Jaw== X-Gm-Message-State: ABuFfohh+aY5qypPYawl4bEp8TM9Y1p9f+R4h4picfaEHOhyPA6bZ86Y 6BwhTkFOMCWL5OtjdI2QbtfqPA== X-Google-Smtp-Source: ACcGV60lZ0y5vkt0p1Pzl8z+uGPW4Sd3O8rQySRUYFSGxVZ7Mp1TS+0Z9TBRZ3Y2AG9ErbIpgrATow== X-Received: by 2002:a63:bd01:: with SMTP id a1-v6mr963990pgf.12.1537835123026; Mon, 24 Sep 2018 17:25:23 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id p75-v6sm631227pfi.22.2018.09.24.17.25.17 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:25:20 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 22/29] LSM: Introduce CONFIG_LSM_ORDER Date: Mon, 24 Sep 2018 17:18:25 -0700 Message-Id: <20180925001832.18322-23-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This provides a way to declare LSM initialization order via Kconfig. Signed-off-by: Kees Cook --- security/Kconfig | 16 ++++++++++++++++ security/security.c | 40 +++++++++++++++++++++++++++++++++++++--- 2 files changed, 53 insertions(+), 3 deletions(-) diff --git a/security/Kconfig b/security/Kconfig index 1a82a006cc62..7ec86dbdb6b8 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -286,5 +286,21 @@ config LSM_ENABLE changed with the "lsm.enable=" and "lsm.disable=" boot parameters. + Note that any enabled exclusive LSM modules will be initialized + based on LSM ordering, automatically disabling any following + exclusive LSMs. See CONFIG_LSM_ORDER for more details on + changing LSM initialization order. + +config LSM_ORDER + string "Default initialization order of builtin LSMs" + default "integrity" + help + A comma-separated list of LSMs, in initialization order. + Any LSMs left off this list will be link-order initialized + after any listed LSMs. Any LSMs listed here but not built in + the kernel will be ignored. + + If unsure, leave this as the default. + endmenu diff --git a/security/security.c b/security/security.c index ef1ced0a3a50..e38df0314f5e 100644 --- a/security/security.c +++ b/security/security.c @@ -47,6 +47,7 @@ static __initdata const char *chosen_lsm_disable; static __initdata const char *chosen_major_lsm; static __initconst const char * const builtin_lsm_enable = CONFIG_LSM_ENABLE; +static __initconst const char * const builtin_lsm_order = CONFIG_LSM_ORDER; /* Ordered list of LSMs to initialize. */ static __initdata struct lsm_info **ordered_lsms; @@ -130,14 +131,47 @@ static void __init append_ordered_lsm(struct lsm_info *lsm, const char *from) is_enabled(lsm) ? "en" : "dis"); } -/* Populate ordered LSMs list from hard-coded list of LSMs. */ +/* Populate ordered LSMs list from given string. */ +static void __init parse_lsm_order(const char *order, const char *origin) +{ + struct lsm_info *lsm; + char *sep, *name, *next; + + if (!order) + return; + + sep = kstrdup(order, GFP_KERNEL); + next = sep; + /* Walk the list, looking for matching LSMs. */ + while ((name = strsep(&next, ",")) != NULL) { + bool found = false; + + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0 && + strcmp(lsm->name, name) == 0) { + append_ordered_lsm(lsm, origin); + found = true; + } + } + + if (!found) + init_debug("%s ignored: %s\n", origin, name); + } + kfree(sep); +} + +/* Populate ordered LSMs list from builtin list of LSMs. */ static void __init prepare_lsm_order(void) { struct lsm_info *lsm; + /* Parse order from builtin list. */ + parse_lsm_order(builtin_lsm_order, "builtin"); + + /* Add any missing LSMs, in link order. */ for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { - if (strcmp(lsm->name, "integrity") == 0) - append_ordered_lsm(lsm, "builtin"); + if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) + append_ordered_lsm(lsm, "link-time"); } } From patchwork Tue Sep 25 00:18:26 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613105 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9C8E815A6 for ; Tue, 25 Sep 2018 00:19:28 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 88B9029E9D for ; Tue, 25 Sep 2018 00:19:28 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7C4E229EE6; Tue, 25 Sep 2018 00:19:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1C42529E9D for ; Tue, 25 Sep 2018 00:19:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727482AbeIYGXm (ORCPT ); Tue, 25 Sep 2018 02:23:42 -0400 Received: from mail-pg1-f193.google.com ([209.85.215.193]:39083 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728835AbeIYGXk (ORCPT ); Tue, 25 Sep 2018 02:23:40 -0400 Received: by mail-pg1-f193.google.com with SMTP id 85-v6so7044577pge.6 for ; Mon, 24 Sep 2018 17:18:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=gU8yPNVAJgM0Xsl0Xg5cYn4RlLsSLFMLd0v2DDJ1qcc=; b=DsyIjfnmbUEIcckKSghwPU6vbUtA3jFBt7UXg0nenJyyTmedsS/1ngyUfKFE3uSifv 6L3u3gAq24e8/rqldOC3FwmzYXXN8NvXuASwSOrovYWebTiwfT7r4sRg8UivsYBScKb9 eVlnvx/ruLqfPFRcXrZHXO6xD4nqtaLFlFC7o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=gU8yPNVAJgM0Xsl0Xg5cYn4RlLsSLFMLd0v2DDJ1qcc=; b=Fw+GO/BkPPS2rCfE/E1KN9FhFItBm9xyc6Znc3L7aar06TKs8/qIqIrUJYHD4PwlBZ kyYCUzDfHRABUNWMJbHYaiCmEcg7/cV2A0hMba4C1684tZ//BqVDMTJhoO8q8c0LoUqB +OXz5jyz8N2/t2IS7m3SSvxgGjd/SxW2KEolwMEsXia9GX2gx0vJ7yZFe6hxo1yhQs6U pnc7Psl/hYBbHDWkuBqIILO7dG3yFbkL9tIiLNc79uUl85UIu19dSJls2pUGXWqjgC8z ieLzJf10TaVChhKMrB/5ds80hRzt3J55S+DSEywZDgZrvwjsxV+SX4HkTPUECQ9yXkMA GHVA== X-Gm-Message-State: ABuFfoiWK8iKmV40dyCRQqPncuuZh6w9Bvg6Vd22QS9XjwDXzFtmrKTF loeq2xGsbgE2t/x6c1zQ5dUVhQ== X-Google-Smtp-Source: ACcGV61G2pnFUw/Q4F1NXTTg0KFo8jl0iUqoLOz6In9fV1XKgsmQsPAANPdQEU1hs8nNzJ7dovGUTg== X-Received: by 2002:a63:4281:: with SMTP id p123-v6mr907162pga.91.1537834735149; Mon, 24 Sep 2018 17:18:55 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id v2-v6sm516945pgf.58.2018.09.24.17.18.47 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:18:48 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 23/29] LSM: Introduce "lsm.order=" for boottime ordering Date: Mon, 24 Sep 2018 17:18:26 -0700 Message-Id: <20180925001832.18322-24-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Provide a way to reorder LSM initialization using the new "lsm.order=" comma-separated list of LSMs. Any LSMs not listed will be added in builtin order. Signed-off-by: Kees Cook --- Documentation/admin-guide/kernel-parameters.txt | 6 ++++++ security/security.c | 14 +++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 67c90985d2b8..c7c1a0d253ee 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2288,6 +2288,12 @@ CONFIG_LSM_ENABLE, and any per-LSM CONFIGs and boot parameters. + lsm.order=lsm1,...,lsmN + [SECURITY] Choose order of enabled LSM + initialization. Any builtin LSMs not listed here + will be implicitly appended to the list in builtin + order. + machvec= [IA-64] Force the use of a particular machine-vector (machvec) in a generic kernel. Example: machvec=hpzx1_swiotlb diff --git a/security/security.c b/security/security.c index e38df0314f5e..f1c3581d870f 100644 --- a/security/security.c +++ b/security/security.c @@ -44,6 +44,7 @@ char *lsm_names; /* Boot-time LSM user choice */ static __initdata const char *chosen_lsm_enable; static __initdata const char *chosen_lsm_disable; +static __initdata const char *chosen_lsm_order; static __initdata const char *chosen_major_lsm; static __initconst const char * const builtin_lsm_enable = CONFIG_LSM_ENABLE; @@ -160,11 +161,14 @@ static void __init parse_lsm_order(const char *order, const char *origin) kfree(sep); } -/* Populate ordered LSMs list from builtin list of LSMs. */ +/* Populate ordered LSMs list from commandline and builtin list of LSMs. */ static void __init prepare_lsm_order(void) { struct lsm_info *lsm; + /* Parse order from commandline, if present. */ + parse_lsm_order(chosen_lsm_order, "cmdline"); + /* Parse order from builtin list. */ parse_lsm_order(builtin_lsm_order, "builtin"); @@ -324,6 +328,14 @@ static int __init choose_major_lsm(char *str) } __setup("security=", choose_major_lsm); +/* Explicitly choose LSM initialization order. */ +static int __init choose_lsm_order(char *str) +{ + chosen_lsm_order = str; + return 1; +} +__setup("lsm.order=", choose_lsm_order); + /* Enable LSM order debugging. */ static int __init enable_debug(char *str) { From patchwork Tue Sep 25 00:18:27 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613133 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BD5DA15A6 for ; Tue, 25 Sep 2018 00:25:24 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9F36C29F00 for ; Tue, 25 Sep 2018 00:25:24 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9219029F85; Tue, 25 Sep 2018 00:25:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2952829F00 for ; Tue, 25 Sep 2018 00:25:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727441AbeIYGaK (ORCPT ); Tue, 25 Sep 2018 02:30:10 -0400 Received: from mail-pf1-f196.google.com ([209.85.210.196]:43563 "EHLO mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728089AbeIYGaI (ORCPT ); Tue, 25 Sep 2018 02:30:08 -0400 Received: by mail-pf1-f196.google.com with SMTP id j26-v6so9917478pfi.10 for ; Mon, 24 Sep 2018 17:25:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Pya6MC5far/FOfcushoRqmIT4FUPYgdqjyBKbeVxUoc=; b=UCVgRcncAb7cIHCs1DGQLChJ9vknqvr/KNTZmJDV0LdfEJZVVSzD0shsoQEJqe4PXs UwUKLSseT07JL4uz0zHBV/9Cr9zChAdT+lUVenHyPtM4SBk4R7WFHN9YiF2IFf3WNuZP U7JVbVyivOeCwc8DrjTpiDsGGtbIWs3Baj5WY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Pya6MC5far/FOfcushoRqmIT4FUPYgdqjyBKbeVxUoc=; b=r0yeHF7Lo98ZwvSGiJP48CI7E/vb+PfpCxPDI7oLCV59Q2d7jLauveSin2n7bX8hsJ s6bNVveDJulxZjIAcfr2G47onHzNtqIh3wHT3tsSqgse4+qswzkGUnCVW+oDr+1CxfM8 +JA9yjMdONVwUmpeex5fcqM0JfWhf4hCzSU3QQgsQYUkpTc22xLKwQ9linKieS9dIoRZ ZxkpZjt6qGPyuuRp3lq/jlZLVL/H6FoVoiEiu8UHdajHa8upz9fGEwh8QK+MGc5fwqRz d1zf70W9iP7F3Nu6lrhH7Mwiv9cYoBTF4V9vU8V+60/O/EksNROv0gYXjaYmTixJhUoG p6qg== X-Gm-Message-State: ABuFfoj3osFA9onGk6QDfS1YH1WBIXwa+j7t9xonD4Fgyotko/2ucQv6 9FrJewsGvJz/mDjvCeYrxsJsYg== X-Google-Smtp-Source: ACcGV61imBdMwuASY8sKrVNwy7MU0PyosXE4NK2RARP8Q0lXckzuclV+DhQ1RewxW4ZTB/zjK+qb0A== X-Received: by 2002:a62:c288:: with SMTP id w8-v6mr1024051pfk.92.1537835119907; Mon, 24 Sep 2018 17:25:19 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id e123-v6sm635695pfg.3.2018.09.24.17.25.15 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:25:16 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 24/29] LoadPin: Initialize as ordered LSM Date: Mon, 24 Sep 2018 17:18:27 -0700 Message-Id: <20180925001832.18322-25-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This converts LoadPin from being a direct "minor" LSM into an ordered LSM. Signed-off-by: Kees Cook --- include/linux/lsm_hooks.h | 5 ----- security/Kconfig | 2 +- security/loadpin/loadpin.c | 7 ++++++- security/security.c | 1 - 4 files changed, 7 insertions(+), 8 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index ab23f1bc6d77..9df08955f684 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2097,10 +2097,5 @@ extern void __init yama_add_hooks(void); #else static inline void __init yama_add_hooks(void) { } #endif -#ifdef CONFIG_SECURITY_LOADPIN -void __init loadpin_add_hooks(void); -#else -static inline void loadpin_add_hooks(void) { }; -#endif #endif /* ! __LINUX_LSM_HOOKS_H */ diff --git a/security/Kconfig b/security/Kconfig index 7ec86dbdb6b8..e20c2a3143e7 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -293,7 +293,7 @@ config LSM_ENABLE config LSM_ORDER string "Default initialization order of builtin LSMs" - default "integrity" + default "loadpin,integrity" help A comma-separated list of LSMs, in initialization order. Any LSMs left off this list will be link-order initialized diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c index d8a68a6f6fef..7abdf4619b46 100644 --- a/security/loadpin/loadpin.c +++ b/security/loadpin/loadpin.c @@ -184,13 +184,18 @@ static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(kernel_load_data, loadpin_load_data), }; -void __init loadpin_add_hooks(void) +static int __init loadpin_init(void) { pr_info("ready to pin (currently %senforcing)\n", enforcing ? "" : "not "); security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin"); + return 0; } +DEFINE_LSM(loadpin) + .init = loadpin_init, +END_LSM; + /* Should not be mutable after boot, so not listed in sysfs (perm == 0). */ module_param(enforcing, int, 0); MODULE_PARM_DESC(enforcing, "Enforce module/firmware pinning"); diff --git a/security/security.c b/security/security.c index f1c3581d870f..cb25f321e044 100644 --- a/security/security.c +++ b/security/security.c @@ -305,7 +305,6 @@ int __init security_init(void) */ capability_add_hooks(); yama_add_hooks(); - loadpin_add_hooks(); /* Load LSMs in specified order. */ prepare_lsm_order(); From patchwork Tue Sep 25 00:18:28 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613147 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EB719112B for ; Tue, 25 Sep 2018 00:26:09 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D851429F00 for ; Tue, 25 Sep 2018 00:26:09 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CCA5929F85; Tue, 25 Sep 2018 00:26:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7498029F00 for ; Tue, 25 Sep 2018 00:26:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727453AbeIYGa4 (ORCPT ); Tue, 25 Sep 2018 02:30:56 -0400 Received: from mail-pg1-f195.google.com ([209.85.215.195]:45828 "EHLO mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726202AbeIYGaF (ORCPT ); Tue, 25 Sep 2018 02:30:05 -0400 Received: by mail-pg1-f195.google.com with SMTP id t70-v6so5318458pgd.12 for ; Mon, 24 Sep 2018 17:25:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=26HwrhgbY9cvM6kiZxqXmx96X44xA2LItbJkK19GtUc=; b=jEHfLEEmvCHoHpdkX18SYepWqOJD5LRyua7XSGQhGp2ygtqjv/oHu8rVpid8kjPMBY L1R3EvDuejeJXG60ENlSUInWBdp0v0wvMJpEPpDd5zVtE/X8nJgieCMqIcZ0ast6c1vQ BXIzX1Wxjs2z5WzbNhL6qkL/wytvy11EK7NB4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=26HwrhgbY9cvM6kiZxqXmx96X44xA2LItbJkK19GtUc=; b=dM5TN2lLTh6wRbPBvMpFgNEXMxCz5NhERr4/HXJ0/BSh9pjp6yNZZldXcLK3w9w0t5 KKHZFKIHUnrgh/vhUt/Og1CdR6NONU1ec+LhrcgjbjxCFsdy/IdwXAzJds7mezQmeTOc KVNGJqQvrbKImf+4LFRmvAsT3j1ixdGXJ25+8Am0vNtgVScrYZixdK1HSirakT6Aepse OWkXR7luyjGmBrklyCCY+WEZMmvRDw8/mpi4CGK4SzFUlgc9jZq2vZctOtuXamJgGxzI 2Akddwtrz5tBiXMViQXz2DsPGohu9MpqqSCfEoew7e1H70OG0Jz2fPHh8MCy7QEbG4I6 79Mg== X-Gm-Message-State: ABuFfogHptI2k8AexRf/DdaAkIwWlUYaGHrC4IyE9cMtKvgE2dHZDosz +t/6feRGeQ90ar4RQf1ZxnJCxg== X-Google-Smtp-Source: ACcGV63ugphL4k+l4lCbKf1vYeL+nBWs/NoSCC1/5e65OIcYkG38MwZn7jzbPEayozc7XA4wdDAgfQ== X-Received: by 2002:a63:c912:: with SMTP id o18-v6mr885994pgg.331.1537835117337; Mon, 24 Sep 2018 17:25:17 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id 3-v6sm683002pfq.10.2018.09.24.17.25.15 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:25:16 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 25/29] Yama: Initialize as ordered LSM Date: Mon, 24 Sep 2018 17:18:28 -0700 Message-Id: <20180925001832.18322-26-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This converts Yama from being a direct "minor" LSM into an ordered LSM. Signed-off-by: Kees Cook --- include/linux/lsm_hooks.h | 5 ----- security/Kconfig | 2 +- security/security.c | 1 - security/yama/yama_lsm.c | 7 ++++++- 4 files changed, 7 insertions(+), 8 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 9df08955f684..5be95c6155b4 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2092,10 +2092,5 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, #endif /* CONFIG_SECURITY_WRITABLE_HOOKS */ extern void __init capability_add_hooks(void); -#ifdef CONFIG_SECURITY_YAMA -extern void __init yama_add_hooks(void); -#else -static inline void __init yama_add_hooks(void) { } -#endif #endif /* ! __LINUX_LSM_HOOKS_H */ diff --git a/security/Kconfig b/security/Kconfig index e20c2a3143e7..e37de9a44747 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -293,7 +293,7 @@ config LSM_ENABLE config LSM_ORDER string "Default initialization order of builtin LSMs" - default "loadpin,integrity" + default "yama,loadpin,integrity" help A comma-separated list of LSMs, in initialization order. Any LSMs left off this list will be link-order initialized diff --git a/security/security.c b/security/security.c index cb25f321e044..c4ba5832ef2f 100644 --- a/security/security.c +++ b/security/security.c @@ -304,7 +304,6 @@ int __init security_init(void) * Load minor LSMs, with the capability module always first. */ capability_add_hooks(); - yama_add_hooks(); /* Load LSMs in specified order. */ prepare_lsm_order(); diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c index ffda91a4a1aa..f2b1f47f98e8 100644 --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c @@ -477,9 +477,14 @@ static void __init yama_init_sysctl(void) static inline void yama_init_sysctl(void) { } #endif /* CONFIG_SYSCTL */ -void __init yama_add_hooks(void) +static int __init yama_init(void) { pr_info("Yama: becoming mindful.\n"); security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), "yama"); yama_init_sysctl(); + return 0; } + +DEFINE_LSM(yama) + .init = yama_init, +END_LSM; From patchwork Tue Sep 25 00:18:29 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613139 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AEFA015A6 for ; Tue, 25 Sep 2018 00:25:31 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9D00229F00 for ; Tue, 25 Sep 2018 00:25:31 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 90AC429F85; Tue, 25 Sep 2018 00:25:31 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 32D0329F00 for ; Tue, 25 Sep 2018 00:25:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728497AbeIYGaN (ORCPT ); Tue, 25 Sep 2018 02:30:13 -0400 Received: from mail-pf1-f196.google.com ([209.85.210.196]:33907 "EHLO mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728347AbeIYGaM (ORCPT ); Tue, 25 Sep 2018 02:30:12 -0400 Received: by mail-pf1-f196.google.com with SMTP id k19-v6so9936395pfi.1 for ; Mon, 24 Sep 2018 17:25:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=v+bgLsnYIEjOih3SRhhO7dkDnRKEzVCMNAzz+EjXpHg=; b=ck2/wFpivCOb7/CK8KeVglR5VoDX76r4hYd79A+wfNOLkLEcgXUGgqVnxKYwcMc6ML AkdbGwQzpJBB0VMnsxFyv5d0oAj9FQy+OjJoFd0UqtkzGX+cjXhY8HcVbQ0ZOy8EFzFj bVWb4JREC6bs66N2yNnqhi/DBFx/kunb4Td3A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=v+bgLsnYIEjOih3SRhhO7dkDnRKEzVCMNAzz+EjXpHg=; b=o8sNWtHY60dX/F+FlvIhmiKZagszCAQYFl5Tt8B6IV8TQK1y3KEo0eUmp7Yjcwv7wr O9Fenjky/sLr0s0RbGfrToCqLWo0feKys6DQ6476kB1zhndqeWBAz2cCgxY6xBjpMvb/ add4JYAuTUJYvF4xH06Q5a9RiEmGAL0rFeZQNrPD1h983xWBJ+xh97KQh2ti3sO2S3jj 1AUls6vVKKitI51ZIR94HWZwdHDqcKOZaPFLBsck6TuQjxUxgz/LL7J0Fn6TpB7XTzKn lqDD38eXtUrk0wI2nGuVgj+fNPd9z+zhkj4dh0NBYhCJg0a52S1I78Q8zDkV+Ag3ykqv 1+5Q== X-Gm-Message-State: ABuFfogD3tyxlGVKp7HteHr+UU+H8uDP5VnlAYpypxTMIs7pnulo4h8Z tcs8xUECxkAYZLtAkASyJLHrzQ== X-Google-Smtp-Source: ACcGV61GzfRbyoeVB/zFFoHIWLaMdn1xpYcS7i99l+puB02zFzFGRU00KqLtZ5DjuLibaUXmes51yQ== X-Received: by 2002:a63:6f45:: with SMTP id k66-v6mr923000pgc.360.1537835124567; Mon, 24 Sep 2018 17:25:24 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id a11-v6sm497393pgv.29.2018.09.24.17.25.18 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:25:20 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 26/29] LSM: Introduce enum lsm_order Date: Mon, 24 Sep 2018 17:18:29 -0700 Message-Id: <20180925001832.18322-27-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP In preparation for distinguishing the "capability" LSM from other LSMs, it must be ordered first. This introduces LSM_ORDER_MUTABLE for the general LSMs, LSM_ORDER_FIRST for capabilities, and LSM_ORDER_LAST for anything that must run last (e.g. Landlock may use this in the future). Signed-off-by: Kees Cook --- include/linux/lsm_hooks.h | 7 +++++++ security/security.c | 18 ++++++++++++++++-- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 5be95c6155b4..b38902ea0be5 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2041,8 +2041,15 @@ extern void security_add_hooks(struct security_hook_list *hooks, int count, #define LSM_FLAG_LEGACY_MAJOR BIT(0) +enum lsm_order { + LSM_ORDER_FIRST = -1, /* This is only for capabilities. */ + LSM_ORDER_MUTABLE = 0, + LSM_ORDER_LAST, +}; + struct lsm_info { const char *name; /* Populated automatically. */ + enum lsm_order order; /* Optional: default is LSM_ORDER_MUTABLE */ unsigned long flags; /* Optional: flags describing LSM */ int *enabled; /* Optional: NULL checks CONFIG_LSM_ENABLE */ int (*init)(void); diff --git a/security/security.c b/security/security.c index c4ba5832ef2f..8b93afa75e3c 100644 --- a/security/security.c +++ b/security/security.c @@ -148,7 +148,8 @@ static void __init parse_lsm_order(const char *order, const char *origin) bool found = false; for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { - if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0 && + if (lsm->order == LSM_ORDER_MUTABLE && + (lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0 && strcmp(lsm->name, name) == 0) { append_ordered_lsm(lsm, origin); found = true; @@ -166,6 +167,12 @@ static void __init prepare_lsm_order(void) { struct lsm_info *lsm; + /* LSM_ORDER_FIRST is always first. */ + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + if (lsm->order == LSM_ORDER_FIRST) + append_ordered_lsm(lsm, "first"); + } + /* Parse order from commandline, if present. */ parse_lsm_order(chosen_lsm_order, "cmdline"); @@ -174,9 +181,16 @@ static void __init prepare_lsm_order(void) /* Add any missing LSMs, in link order. */ for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { - if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) + if (lsm->order == LSM_ORDER_MUTABLE && + (lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) append_ordered_lsm(lsm, "link-time"); } + + /* LSM_ORDER_LAST is always last. */ + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + if (lsm->order == LSM_ORDER_LAST) + append_ordered_lsm(lsm, "last"); + } } /* Is an LSM allowed to be initialized? */ From patchwork Tue Sep 25 00:18:30 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613101 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C8BFB14DA for ; Tue, 25 Sep 2018 00:19:23 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B4ABC29E9D for ; Tue, 25 Sep 2018 00:19:23 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A862129EE6; Tue, 25 Sep 2018 00:19:23 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5265929E9D for ; Tue, 25 Sep 2018 00:19:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727247AbeIYGYC (ORCPT ); Tue, 25 Sep 2018 02:24:02 -0400 Received: from mail-pg1-f195.google.com ([209.85.215.195]:33193 "EHLO mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728849AbeIYGXn (ORCPT ); Tue, 25 Sep 2018 02:23:43 -0400 Received: by mail-pg1-f195.google.com with SMTP id y18-v6so6814840pge.0 for ; Mon, 24 Sep 2018 17:18:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=FC/QKfEJBIYGajENgFeOjr6c8O9WQvcgfsZ6DqAb1iY=; b=j40WdLdyIbYENYwIgFmEWOcifIjaAw3581c2wJaONAih3gdzAeKVhQgA+Bvqc2OX20 jKeeiiqKlVVGo8An0aCZmJhCN+/At8m4VHwgn0lUvvdJ+EGOvVFTOSwI3nTXgCdrgiTl FEq0mmGCl1eLkJ5DYIwwtWnSe3WTyYlbUfI7k= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=FC/QKfEJBIYGajENgFeOjr6c8O9WQvcgfsZ6DqAb1iY=; b=BUfjvtbbv+Bw1xMxKE9TG8M583T49V68c+4J2E9Q0KcEUsuONuBs2IRDM2Xnl+d56N +40xHaS6IeI+e4EXwt/CGoirQdguX4bZfZsUB3VPM/ds8qmH3sWdLtWtFxbEjZNK31/V NTLiE+i7t5e+sNXdAEdMXTt10w27WFIGpI0M7voURF/9jvBjRrR5DMYRLAODggUck6si nwykm3GBglwz37EnrHmf1ThUWC1ikUjFI9Oo/Xp8YW3DP9m4c5E5hTB8XMMg3ju11EXY lhHniHuMj7lUd0U+r2xaeCWi1OC6w/rOsydh3C4YCozSH7BgOo43wz6+HPxNRkTwMW57 ZwXA== X-Gm-Message-State: ABuFfohXUx+u1PmfQJp0Felv0Ewt2Zi0UOuYQMgeTdASZP/22giGpAVS Zk2+4aq5wld0sRHFGh437xmRWw== X-Google-Smtp-Source: ACcGV61+0XKAShS9YXtlV6HhqybC8QtIfXfrmmicSAk/xG9Q3GAK6Gdii1Yz7F+YokNmEQOnsOtcIQ== X-Received: by 2002:a62:69c9:: with SMTP id e192-v6mr981027pfc.35.1537834737132; Mon, 24 Sep 2018 17:18:57 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id b73-v6sm661299pfj.93.2018.09.24.17.18.48 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:18:48 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 27/29] capability: Initialize as LSM_ORDER_FIRST Date: Mon, 24 Sep 2018 17:18:30 -0700 Message-Id: <20180925001832.18322-28-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This converts capabilities to use the new LSM_ORDER_FIRST position. Signed-off-by: Kees Cook --- include/linux/lsm_hooks.h | 2 -- security/commoncap.c | 8 +++++++- security/security.c | 9 ++++----- 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index b38902ea0be5..950042fb2385 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2098,6 +2098,4 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, #define __lsm_ro_after_init __ro_after_init #endif /* CONFIG_SECURITY_WRITABLE_HOOKS */ -extern void __init capability_add_hooks(void); - #endif /* ! __LINUX_LSM_HOOKS_H */ diff --git a/security/commoncap.c b/security/commoncap.c index 2e489d6a3ac8..7a6abaec65de 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -1366,10 +1366,16 @@ struct security_hook_list capability_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(vm_enough_memory, cap_vm_enough_memory), }; -void __init capability_add_hooks(void) +static int __init capability_init(void) { security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks), "capability"); + return 0; } +DEFINE_LSM(capability) + .order = LSM_ORDER_FIRST, + .init = capability_init, +END_LSM; + #endif /* CONFIG_SECURITY */ diff --git a/security/security.c b/security/security.c index 8b93afa75e3c..ade74b90b73c 100644 --- a/security/security.c +++ b/security/security.c @@ -62,6 +62,10 @@ static bool debug __initdata; static bool __init is_enabled(struct lsm_info *lsm) { + /* LSM_ORDER_FIRST is always enabled. */ + if (lsm->order == LSM_ORDER_FIRST) + return true; + if (WARN_ON(!lsm->enabled)) return false; @@ -314,11 +318,6 @@ int __init security_init(void) /* Figure out which LSMs are enabled and disabled. */ prepare_lsm_enable(); - /* - * Load minor LSMs, with the capability module always first. - */ - capability_add_hooks(); - /* Load LSMs in specified order. */ prepare_lsm_order(); ordered_lsm_init(); From patchwork Tue Sep 25 00:18:31 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613093 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4987A14DA for ; Tue, 25 Sep 2018 00:19:11 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 347B929EC0 for ; Tue, 25 Sep 2018 00:19:11 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2775E29E9D; Tue, 25 Sep 2018 00:19:11 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id ACFEA29E9D for ; Tue, 25 Sep 2018 00:19:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727613AbeIYGXy (ORCPT ); Tue, 25 Sep 2018 02:23:54 -0400 Received: from mail-pf1-f195.google.com ([209.85.210.195]:46770 "EHLO mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728836AbeIYGXo (ORCPT ); Tue, 25 Sep 2018 02:23:44 -0400 Received: by mail-pf1-f195.google.com with SMTP id d8-v6so2958413pfo.13 for ; Mon, 24 Sep 2018 17:18:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=mdPLBrV86brfh6UmS043o/g5aoVc6H7x7cEeohypzFE=; b=bpz2sKAilWIIzusgyQATBx+ty90qv45CNB1P4sbc6019yMyILdQx1mrvJE8CFqekoh zCaz7Ng3B3KCQcDkpLC7tZrKP5wcQ+ON+JDkMpnXqnZ8fIpO6D+dvBwI1VudM1zOzejX AYRChWUJXtfaki4TVYGJc5RfPgj1ZDOfb1vBs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=mdPLBrV86brfh6UmS043o/g5aoVc6H7x7cEeohypzFE=; b=olL2TygcwRfN1kRmMil/FM11m3iFByyQb53t5JShHuV8fRb12uAfzdCN0M7eu/kXr4 1zYu9RhoOY+I+bWkZfRc4pM84Jp4vnqKvcNAumAaemHjyDHgz7QQY3v0BHv9lSHGE2+y 63lD8H3JXCd2M+uLztmgPsjArbKYWNZO7bEK/xoPJZTSH85irYUrpIAEZLSqJMLYKmzs Y9MZ3AJjXF6DAZzHW0K797MDpwaMVjgrhyOJtJtntStZ8EJ8ZVBnqsajHEYMnbz555Qk w7gHJTyASX29FlWrsOMpplMuh3luVAAO9Ri27jdD95uBJOJ/+9TED4XuOYvw9TOsn65/ Bo+w== X-Gm-Message-State: ABuFfogkXR2hzBRjLA3OK/9bJ2nF/WGXKlfXPPKyc81SfDE+9t6DnqLg 2nP5F4AfHEEH+clbYyahCEAlYZ37jHw= X-Google-Smtp-Source: ACcGV6060sXsy7bzJlo0awXtW/tWu5u15XmLS1sYG37rkA6kfoV61gD++is9N27LjTcOQdLJivS6zA== X-Received: by 2002:a17:902:b03:: with SMTP id 3-v6mr993116plq.156.1537834738027; Mon, 24 Sep 2018 17:18:58 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id g21-v6sm704862pfe.41.2018.09.24.17.18.48 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:18:48 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 28/29] LSM: Separate idea of "major" LSM from "exclusive" LSM Date: Mon, 24 Sep 2018 17:18:31 -0700 Message-Id: <20180925001832.18322-29-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP In order to both support old "security=" Legacy Major LSM selection, and handling real exclusivity, this creates LSM_FLAG_EXCLUSIVE and updates the selection logic to handle them. Signed-off-by: Kees Cook --- include/linux/lsm_hooks.h | 1 + security/apparmor/lsm.c | 2 +- security/security.c | 12 ++++++++++++ security/selinux/hooks.c | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- 6 files changed, 17 insertions(+), 4 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 950042fb2385..0f5d44d0a9cc 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2040,6 +2040,7 @@ extern void security_add_hooks(struct security_hook_list *hooks, int count, char *lsm); #define LSM_FLAG_LEGACY_MAJOR BIT(0) +#define LSM_FLAG_EXCLUSIVE BIT(1) enum lsm_order { LSM_ORDER_FIRST = -1, /* This is only for capabilities. */ diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 5399c2f03536..d68bc931d388 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1601,7 +1601,7 @@ static int __init apparmor_init(void) } DEFINE_LSM(apparmor) - .flags = LSM_FLAG_LEGACY_MAJOR, + .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, .enabled = &apparmor_enabled, .init = apparmor_init, END_LSM; diff --git a/security/security.c b/security/security.c index ade74b90b73c..5a3e19f1fe48 100644 --- a/security/security.c +++ b/security/security.c @@ -52,6 +52,7 @@ static __initconst const char * const builtin_lsm_order = CONFIG_LSM_ORDER; /* Ordered list of LSMs to initialize. */ static __initdata struct lsm_info **ordered_lsms; +static __initdata struct lsm_info *exclusive; static bool debug __initdata; #define init_debug(...) \ @@ -204,6 +205,12 @@ static bool __init lsm_allowed(struct lsm_info *lsm) if (!is_enabled(lsm)) return false; + /* Not allowed if another exclusive LSM already initialized. */ + if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && exclusive) { + init_debug("exclusive disabled: %s\n", lsm->name); + return false; + } + return true; } @@ -219,6 +226,11 @@ static void __init maybe_initialize_lsm(struct lsm_info *lsm) if (enabled) { int ret; + if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && !exclusive) { + exclusive = lsm; + init_debug("exclusive: %s\n", lsm->name); + } + init_debug("initializing %s\n", lsm->name); ret = lsm->init(); WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 409a9252aeb6..5461d54fcd99 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7193,7 +7193,7 @@ void selinux_complete_init(void) /* SELinux requires early initialization in order to label all processes and objects when they are created. */ DEFINE_LSM(selinux) - .flags = LSM_FLAG_LEGACY_MAJOR, + .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, .enabled = &selinux_enabled, .init = selinux_init, END_LSM; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index e79fad43a8e3..e46c1ea8cf84 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4880,6 +4880,6 @@ static __init int smack_init(void) * all processes and objects when they are created. */ DEFINE_LSM(smack) - .flags = LSM_FLAG_LEGACY_MAJOR, + .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, .init = smack_init, END_LSM; diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 39bb994ebe09..cc39eb8df61a 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -549,6 +549,6 @@ static int __init tomoyo_init(void) } DEFINE_LSM(tomoyo) - .flags = LSM_FLAG_LEGACY_MAJOR, + .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, .init = tomoyo_init, END_LSM; From patchwork Tue Sep 25 00:18:32 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10613107 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9748215A6 for ; Tue, 25 Sep 2018 00:19:34 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 82A1929E9D for ; Tue, 25 Sep 2018 00:19:34 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7538829EE6; Tue, 25 Sep 2018 00:19:34 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EFBCE29E9D for ; Tue, 25 Sep 2018 00:19:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726922AbeIYGYN (ORCPT ); Tue, 25 Sep 2018 02:24:13 -0400 Received: from mail-pg1-f195.google.com ([209.85.215.195]:41417 "EHLO mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727588AbeIYGXm (ORCPT ); Tue, 25 Sep 2018 02:23:42 -0400 Received: by mail-pg1-f195.google.com with SMTP id z3-v6so5141935pgv.8 for ; Mon, 24 Sep 2018 17:18:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Q5l74R9wyjkir+Dl1KfDtlUqJXEi99o1nRx2MTGeLAA=; b=Pc+q2RRyvzsoZBouIG80xzpFm9EsGeO0tXH6j1/diIYrgBIbKZyvtDViuG9FxKDXtb i1n/PqHYqFeMMikJATe+MEztj7ZWbYCteKV5QPaeR98UGRYs4Zvod/03NjQ4KE4b1ugf JzOq4kpyJauKk2D8askDI5VN8m3R+bF8GVX9Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Q5l74R9wyjkir+Dl1KfDtlUqJXEi99o1nRx2MTGeLAA=; b=cycbH8pzL94P7zpGPcGYQcYkI00rX9O9/9tVb6HwSxls7OGMek6dCsCidfBaP4I1fl NIgBNPxBBMlTaJ+e2md7UaX9bcYgzp+hpmltE2xWZkcwfpXZNXNe9Mbo1bVax142P6jR Srnhus8fE+e7X68Bpg5Y/86y8DifARU3Xvv1QJmP/5ZXdpDYDCYm5lxgyfWR3PwWcWrA Lmj6vtcgAZp0/aYjt3Y876cSRdL46MkUek490015bedJfUzzS2G01OaWircx6VG+hwwN L2G44jET10xrLq8vXnpkGk9AZjQtqStITPl8xMmV5o3iOjTK6pTnI+9F+6sM4+ajiT4S y+rQ== X-Gm-Message-State: ABuFfoidYMn2SZ2MGfvY/+XLWs5R5a+V7zNt37zM7ReVWDbKzvLVZlXu 9v7stYg4TqfFQslUUGdxPwhMaA== X-Google-Smtp-Source: ACcGV61YOtyaJj2609MU4UnUf90BOclgZko4bqt+Ci7APPeVZ7gzO9IsnE17FTypeJudSy2XHtQPAA== X-Received: by 2002:a65:5286:: with SMTP id y6-v6mr891384pgp.65.1537834736257; Mon, 24 Sep 2018 17:18:56 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id k3-v6sm903756pfk.60.2018.09.24.17.18.48 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 24 Sep 2018 17:18:48 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v3 29/29] LSM: Add all exclusive LSMs to ordered initialization Date: Mon, 24 Sep 2018 17:18:32 -0700 Message-Id: <20180925001832.18322-30-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180925001832.18322-1-keescook@chromium.org> References: <20180925001832.18322-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This removes CONFIG_DEFAULT_SECURITY in favor of the explicit build-time ordering offered by CONFIG_LSM_ORDER, and adds all the exclusive LSMs to the ordered LSM initialization. The old meaning of CONFIG_DEFAULT_SECURITY is now captured by which exclusive LSM is listed first in the LSM order. Signed-off-by: Kees Cook --- security/Kconfig | 43 ++++--------------------------------------- security/security.c | 23 +---------------------- 2 files changed, 5 insertions(+), 61 deletions(-) diff --git a/security/Kconfig b/security/Kconfig index e37de9a44747..efa4826c3d99 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -239,43 +239,6 @@ source security/yama/Kconfig source security/integrity/Kconfig -choice - prompt "Default security module" - default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX - default DEFAULT_SECURITY_SMACK if SECURITY_SMACK - default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO - default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR - default DEFAULT_SECURITY_DAC - - help - Select the security module that will be used by default if the - kernel parameter security= is not specified. - - config DEFAULT_SECURITY_SELINUX - bool "SELinux" if SECURITY_SELINUX=y - - config DEFAULT_SECURITY_SMACK - bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y - - config DEFAULT_SECURITY_TOMOYO - bool "TOMOYO" if SECURITY_TOMOYO=y - - config DEFAULT_SECURITY_APPARMOR - bool "AppArmor" if SECURITY_APPARMOR=y - - config DEFAULT_SECURITY_DAC - bool "Unix Discretionary Access Controls" - -endchoice - -config DEFAULT_SECURITY - string - default "selinux" if DEFAULT_SECURITY_SELINUX - default "smack" if DEFAULT_SECURITY_SMACK - default "tomoyo" if DEFAULT_SECURITY_TOMOYO - default "apparmor" if DEFAULT_SECURITY_APPARMOR - default "" if DEFAULT_SECURITY_DAC - config LSM_ENABLE string "LSMs to enable at boot time" default "all" @@ -293,12 +256,14 @@ config LSM_ENABLE config LSM_ORDER string "Default initialization order of builtin LSMs" - default "yama,loadpin,integrity" + default "yama,loadpin,integrity,selinux,smack,tomoyo,apparmor" help A comma-separated list of LSMs, in initialization order. Any LSMs left off this list will be link-order initialized after any listed LSMs. Any LSMs listed here but not built in - the kernel will be ignored. + the kernel will be ignored. If the boot parameter + "lsm.order=" is used, it will override this order, with any + unlisted LSMs falling back to the order of this config, etc. If unsure, leave this as the default. diff --git a/security/security.c b/security/security.c index 5a3e19f1fe48..fedc26fb8554 100644 --- a/security/security.c +++ b/security/security.c @@ -154,7 +154,6 @@ static void __init parse_lsm_order(const char *order, const char *origin) for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { if (lsm->order == LSM_ORDER_MUTABLE && - (lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0 && strcmp(lsm->name, name) == 0) { append_ordered_lsm(lsm, origin); found = true; @@ -186,8 +185,7 @@ static void __init prepare_lsm_order(void) /* Add any missing LSMs, in link order. */ for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { - if (lsm->order == LSM_ORDER_MUTABLE && - (lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) + if (lsm->order == LSM_ORDER_MUTABLE) append_ordered_lsm(lsm, "link-time"); } @@ -245,18 +243,6 @@ static void __init ordered_lsm_init(void) maybe_initialize_lsm(*lsm); } -static void __init major_lsm_init(void) -{ - struct lsm_info *lsm; - - for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { - if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) - continue; - - maybe_initialize_lsm(lsm); - } -} - static void __init parse_lsm_enable(const char *str, void (*set)(struct lsm_info *, bool), bool enabled) @@ -290,8 +276,6 @@ static void __init prepare_lsm_enable(void) parse_lsm_enable(chosen_lsm_disable, set_enabled, false); /* Process "security=", if given. */ - if (!chosen_major_lsm) - chosen_major_lsm = CONFIG_DEFAULT_SECURITY; if (chosen_major_lsm) { struct lsm_info *lsm; @@ -334,11 +318,6 @@ int __init security_init(void) prepare_lsm_order(); ordered_lsm_init(); - /* - * Load all the remaining security modules. - */ - major_lsm_init(); - kfree(ordered_lsms); return 0; }