From patchwork Tue Oct 2 00:54:34 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622939 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C3754174A for ; Tue, 2 Oct 2018 00:57:14 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B007E28684 for ; Tue, 2 Oct 2018 00:57:14 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A4468286C5; Tue, 2 Oct 2018 00:57:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4E17C28684 for ; Tue, 2 Oct 2018 00:57:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726402AbeJBHfi (ORCPT ); Tue, 2 Oct 2018 03:35:38 -0400 Received: from mail-it1-f195.google.com ([209.85.166.195]:51861 "EHLO mail-it1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726027AbeJBHfi (ORCPT ); Tue, 2 Oct 2018 03:35:38 -0400 Received: by mail-it1-f195.google.com with SMTP id 74-v6so992721itw.1 for ; Mon, 01 Oct 2018 17:55:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=IXAQXo8qYO7Phx51B4l5S6pXkNyNEOESCjmeHP9RP9w=; b=Bnahr/QLCrNsJ8TWSsahdb+QGVVFBbeR/0nyOsALLqJ2T1glx6C6d0tuDJpXi7fbAF PPlxqY6Bck8UXZK7ehNakGpSPOxX5louwwsJaiDYrisK91ErhYgzMImgqRnXwa+k+vkT VyYodMohirOBipctB8pO4zCceRDFTfVL+DLKI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=IXAQXo8qYO7Phx51B4l5S6pXkNyNEOESCjmeHP9RP9w=; b=CLQLqYtAl17eNwj1/awkQuiVQ7S7JiE64MImpVQD7G1aNefAbjllZmcSMiYopaeW5W n1NPAz9T+F7zLa3lMoMk6RLDbtz8yVV5E6maDKJOP3kOOj4sgRI2HqLF6ufI2zniBaTh t/lm3Khe0Ohe2dpSVVJE5BEz1jXaYuM7rIWWDNaHGaH7u48Am3b20Xi7Xk5nya4iL3q3 ANK1kyUpkaggIVacH33eJ2qV6iM9fecDN3j1xfbe63ruSIz/hcs1pHi4kHYVuCi884cj GfthSN5vgFKZEdKLUuyTqE0uNma3wJBDH3hUQieCluOPgV/gAXWmPdg5a/eO+ADW4QWI wBOw== X-Gm-Message-State: ABuFfohneUIYpqd/J8tue/qkbKmjp7dhc8eICXZD0NIlREE+jDl8CD8t tZS+MAmES3ZYDMnj82eHmTudjxwqREg= X-Google-Smtp-Source: ACcGV61fF2ffo5hUqIRxzJx+K3m1QqxSM3Gv7EN7ydYx6fijhyJbY+HgSxR+yDBplRklq/QxI6ipaQ== X-Received: by 2002:a63:f711:: with SMTP id x17-v6mr12313817pgh.322.1538441709615; Mon, 01 Oct 2018 17:55:09 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id r205-v6sm20888048pgr.11.2018.10.01.17.55.07 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 17:55:08 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 01/32] LSM: Correctly announce start of LSM initialization Date: Mon, 1 Oct 2018 17:54:34 -0700 Message-Id: <20181002005505.6112-2-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP For a while now, the LSM core has said it was "initializED", rather than "initializING". This adjust the report to be more accurate (i.e. before this was reported before any LSMs had been initialized.) Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: James Morris Reviewed-by: John Johansen --- security/security.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/security.c b/security/security.c index 736e78da1ab9..4cbcf244a965 100644 --- a/security/security.c +++ b/security/security.c @@ -72,10 +72,11 @@ int __init security_init(void) int i; struct hlist_head *list = (struct hlist_head *) &security_hook_heads; + pr_info("Security Framework initializing\n"); + for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct hlist_head); i++) INIT_HLIST_HEAD(&list[i]); - pr_info("Security Framework initialized\n"); /* * Load minor LSMs, with the capability module always first. From patchwork Tue Oct 2 00:54:35 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622933 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 686FF175A for ; Tue, 2 Oct 2018 00:57:07 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 52FC528684 for ; Tue, 2 Oct 2018 00:57:07 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 46B6C286C6; Tue, 2 Oct 2018 00:57:07 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D97D228684 for ; Tue, 2 Oct 2018 00:57:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726637AbeJBHhe (ORCPT ); Tue, 2 Oct 2018 03:37:34 -0400 Received: from mail-it1-f196.google.com ([209.85.166.196]:56116 "EHLO mail-it1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725936AbeJBHfl (ORCPT ); Tue, 2 Oct 2018 03:35:41 -0400 Received: by mail-it1-f196.google.com with SMTP id c23-v6so960818itd.5 for ; Mon, 01 Oct 2018 17:55:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=bDWn21iauCiQfJ3Cfx0b4/V/Z6uec1GQQMOYX0nkvvY=; b=GAcR6tP9URv886m1xLxqEkbz7YdEIPtmlOXupq5g2EXLl32Y9kAajKKDmJnKpSlbBV rLEBx20E5RrgQhPahPVvIDZNhfmaScUj9mX/sjntvnTzTNHuAHznGA7psqHqUnYdsXf9 7S4K20h9JonYDs+o+8wdIfvtkRVU8XCaqZInk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=bDWn21iauCiQfJ3Cfx0b4/V/Z6uec1GQQMOYX0nkvvY=; b=YaOWjydvuzGY10svW2Bjy6jCvrC8qYb198qkaneshg80eIoFnQ9QWwzs3sKDNuB3Kk HDfV3I3VgEsu0kR887wSVIxFFWHCKq/46SgJxXpFtFrn2BykKpob57AMWw30m3tXnCsP c/SZkx2ROcBLxK0ZwHehBkwOD+ohwFy3ZYkF5TLHUXHhmM+9vGrVTF/3DvZSr6sqcUwZ pxNX2QiZt0ShaPd6uYoFvth05HW8zmEC8L3jzMZHF0zMfsmL/nWyPfn3Y/t0Wfor2jG4 jv2FTV1Mm2VKItmBzo4UVnXhUHITw1+uTgbFJUe90lrM2xOYuy9jv82GysLxMaNxI++V 7Lig== X-Gm-Message-State: ABuFfoh3kQxK3zKhW79SGg6Vxxkm5Ee0awN9DjAKRkldwLN5Sc00lAbE LxfCDjiBTiD1UJIQqBVwHIOtlA== X-Google-Smtp-Source: ACcGV61AqGxKtv9I9HjmCYv04cw6b4KEf5MttqybCinUm3ePWLIaBa+yoUlDm4hJymYZNebTGzkDIg== X-Received: by 2002:a63:9712:: with SMTP id n18-v6mr12323822pge.69.1538441712326; Mon, 01 Oct 2018 17:55:12 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id c79-v6sm12054717pfb.147.2018.10.01.17.55.07 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 17:55:08 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 02/32] vmlinux.lds.h: Avoid copy/paste of security_init section Date: Mon, 1 Oct 2018 17:54:35 -0700 Message-Id: <20181002005505.6112-3-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Avoid copy/paste by defining SECURITY_INIT in terms of SECURITY_INITCALL. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: James Morris Reviewed-by: John Johansen --- include/asm-generic/vmlinux.lds.h | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h index 7b75ff6e2fce..934a45395547 100644 --- a/include/asm-generic/vmlinux.lds.h +++ b/include/asm-generic/vmlinux.lds.h @@ -473,13 +473,6 @@ #define RODATA RO_DATA_SECTION(4096) #define RO_DATA(align) RO_DATA_SECTION(align) -#define SECURITY_INIT \ - .security_initcall.init : AT(ADDR(.security_initcall.init) - LOAD_OFFSET) { \ - __security_initcall_start = .; \ - KEEP(*(.security_initcall.init)) \ - __security_initcall_end = .; \ - } - /* * .text section. Map to function alignment to avoid address changes * during second ld run in second ld pass when generating System.map @@ -798,6 +791,12 @@ KEEP(*(.security_initcall.init)) \ __security_initcall_end = .; +/* Older linker script style for security init. */ +#define SECURITY_INIT \ + .security_initcall.init : AT(ADDR(.security_initcall.init) - LOAD_OFFSET) { \ + SECURITY_INITCALL \ + } + #ifdef CONFIG_BLK_DEV_INITRD #define INIT_RAM_FS \ . = ALIGN(4); \ From patchwork Tue Oct 2 00:54:36 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622935 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AFB0E17E0 for ; Tue, 2 Oct 2018 00:57:07 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9C04328684 for ; Tue, 2 Oct 2018 00:57:07 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8F848286C5; Tue, 2 Oct 2018 00:57:07 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2C55D286C2 for ; Tue, 2 Oct 2018 00:57:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726646AbeJBHfl (ORCPT ); Tue, 2 Oct 2018 03:35:41 -0400 Received: from mail-it1-f194.google.com ([209.85.166.194]:53223 "EHLO mail-it1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726332AbeJBHfk (ORCPT ); Tue, 2 Oct 2018 03:35:40 -0400 Received: by mail-it1-f194.google.com with SMTP id 134-v6so982308itz.2 for ; Mon, 01 Oct 2018 17:55:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=BNwJMOTTBg+xIR0Zs6W8eU/Z+0Zh4DQ+gRWYfOJdHJk=; b=QGYZ4aBukEzkUbplpIyJcVFIRfuHhUExWt9u+/VhfugsKltmM+jOi13nMdW8aM+fnV hW+6zqZKIKLx3MssgYOWd91KaIDaXHZzbkOJJYvDRvY92ByERskBXOFo9SjNrKykFNy3 cQ/EH6zN9Uw4GxBJKEaG3MmZ5DthqSto91x+0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=BNwJMOTTBg+xIR0Zs6W8eU/Z+0Zh4DQ+gRWYfOJdHJk=; b=Y3PLr0BG4lH2egi2tVY7mdhnbhHHavFIC10lzAh9J9Iamen4xUn4a06neG3UNSZIoE hh/t4b4Ty+7WukJTxo70eJED6gyUvgAK2PMWnuNtLmVatTuC/afcTOuYpUm0LzoCC4m3 1SZ5HLDyoa8Z8gvj/W4EgUOh4lTDiKrHNrSUugGF982fjWDHaUxzln69bCJiXS104XrU ureY+Uci2yH+fr1vGBiwKSn0rbef312JEj/3zsO/fM27nN12vIGFHPSFuMjwat4gytYI ISBqVeTcBB/FOgePBKdTwMhH+xM3JhVZPDYjvq3pwoJRjeiXov0uuX6+PvTyUfef22ro 3mMA== X-Gm-Message-State: ABuFfohAun//8oPBQZI1ApDMzqehJ1WFK+PpId0d3o51bL6vaPNXPkvJ VaUxjfEbsaQskZXp71WUYgyIQg== X-Google-Smtp-Source: ACcGV60hsZXAm0a9TDrq7HKVx3o3uvo37XZN4cfDrGLtkfSQvQW8f2t4HrDeF27oZljz/fBg55Rquw== X-Received: by 2002:a63:10c:: with SMTP id 12-v6mr12224849pgb.62.1538441711433; Mon, 01 Oct 2018 17:55:11 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id c79-v6sm16930363pfc.92.2018.10.01.17.55.07 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 17:55:08 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 03/32] LSM: Rename .security_initcall section to .lsm_info Date: Mon, 1 Oct 2018 17:54:36 -0700 Message-Id: <20181002005505.6112-4-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP In preparation for switching from initcall to just a regular set of pointers in a section, rename the internal section name. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: James Morris Reviewed-by: John Johansen --- include/asm-generic/vmlinux.lds.h | 10 +++++----- include/linux/init.h | 4 ++-- security/security.c | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h index 934a45395547..5079a969e612 100644 --- a/include/asm-generic/vmlinux.lds.h +++ b/include/asm-generic/vmlinux.lds.h @@ -787,14 +787,14 @@ __con_initcall_end = .; #define SECURITY_INITCALL \ - __security_initcall_start = .; \ - KEEP(*(.security_initcall.init)) \ - __security_initcall_end = .; + __start_lsm_info = .; \ + KEEP(*(.lsm_info.init)) \ + __end_lsm_info = .; /* Older linker script style for security init. */ #define SECURITY_INIT \ - .security_initcall.init : AT(ADDR(.security_initcall.init) - LOAD_OFFSET) { \ - SECURITY_INITCALL \ + .lsm_info.init : AT(ADDR(.lsm_info.init) - LOAD_OFFSET) { \ + LSM_INFO \ } #ifdef CONFIG_BLK_DEV_INITRD diff --git a/include/linux/init.h b/include/linux/init.h index 2538d176dd1f..77636539e77c 100644 --- a/include/linux/init.h +++ b/include/linux/init.h @@ -133,7 +133,7 @@ static inline initcall_t initcall_from_entry(initcall_entry_t *entry) #endif extern initcall_entry_t __con_initcall_start[], __con_initcall_end[]; -extern initcall_entry_t __security_initcall_start[], __security_initcall_end[]; +extern initcall_entry_t __start_lsm_info[], __end_lsm_info[]; /* Used for contructor calls. */ typedef void (*ctor_fn_t)(void); @@ -236,7 +236,7 @@ extern bool initcall_debug; static exitcall_t __exitcall_##fn __exit_call = fn #define console_initcall(fn) ___define_initcall(fn,, .con_initcall) -#define security_initcall(fn) ___define_initcall(fn,, .security_initcall) +#define security_initcall(fn) ___define_initcall(fn,, .lsm_info) struct obs_kernel_param { const char *str; diff --git a/security/security.c b/security/security.c index 4cbcf244a965..892fe6b691cf 100644 --- a/security/security.c +++ b/security/security.c @@ -51,9 +51,9 @@ static void __init do_security_initcalls(void) initcall_t call; initcall_entry_t *ce; - ce = __security_initcall_start; + ce = __start_lsm_info; trace_initcall_level("security"); - while (ce < __security_initcall_end) { + while (ce < __end_lsm_info) { call = initcall_from_entry(ce); trace_initcall_start(call); ret = call(); From patchwork Tue Oct 2 00:54:37 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622937 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 32E2A174A for ; Tue, 2 Oct 2018 00:57:12 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1EC2728684 for ; Tue, 2 Oct 2018 00:57:12 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 12CDA286C5; Tue, 2 Oct 2018 00:57:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B551E28684 for ; Tue, 2 Oct 2018 00:57:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726518AbeJBHhj (ORCPT ); Tue, 2 Oct 2018 03:37:39 -0400 Received: from mail-it1-f194.google.com ([209.85.166.194]:37975 "EHLO mail-it1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726525AbeJBHfj (ORCPT ); Tue, 2 Oct 2018 03:35:39 -0400 Received: by mail-it1-f194.google.com with SMTP id i76-v6so1071160ita.3 for ; Mon, 01 Oct 2018 17:55:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=bIT+tXwbFhC2CafNKpV0+tN2sDk8GJo0u4BK9sb0Eh8=; b=Tz8qvHp3hxRFPV0bnG5Hj58E41gyvJnQh2r8vAH0P1D9HJAGjJEa3X6evdDXXGuuAS gmRQFCMre0fPm25KWaO7GeovUmXyx2F365gyFoYts9mQ/5aZaFlCGJEYQrMNbNE4ELQo bTBSoKvA7W/jq34KzqhNGno+0vWrFevvrDdZc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=bIT+tXwbFhC2CafNKpV0+tN2sDk8GJo0u4BK9sb0Eh8=; b=dlKIXP3o2vs++KyQfnq60cMKmnSiymAaC+IGrhy73fVQY/yLzIAKc4tQ/D6DukEh55 oypjRTGvCIaSA1SKlpIKzFOCpTRFip8l+rg4ncRFpXLudCfIFF0/7Cj4VURciBECt7Yq NxwJd8QMD91pYVxs5qv3hLTLg5RuzxIREKOv1dL3MDs/OthK1LqnQlM6jt3Yl4aqg/QI waxoBrMGBlTKY8qzsLbL8jNMC6znG6UwyDt4AGk7SzEzmTnM6PneVgoku7nqTV3TVM/z VsWMmv/fu4ZNv0NkBSIuqYTEA618U83jEiBC8AoCCyP9OblLTGY+tD+7Y1qkTWdJK18c dqmw== X-Gm-Message-State: ABuFfoijP1DIKf4cFMd2gMcNZVz3JfYTzwjXShplIxdyjtQSTV9ttxoh X/MJxo+3Yi5D9qGd3+f9TSlSvA== X-Google-Smtp-Source: ACcGV60a/X/a9MvokUO2/Y1Oz2x2K9ojPHg9s7U5exN/J2alUEsp0qSlBZ4iMJWE05KUN6kxefI81Q== X-Received: by 2002:a63:6054:: with SMTP id u81-v6mr12048973pgb.74.1538441710527; Mon, 01 Oct 2018 17:55:10 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id r1-v6sm20166862pff.145.2018.10.01.17.55.07 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 17:55:08 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 04/32] LSM: Remove initcall tracing Date: Mon, 1 Oct 2018 17:54:37 -0700 Message-Id: <20181002005505.6112-5-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This partially reverts commit 58eacfffc417 ("init, tracing: instrument security and console initcall trace events") since security init calls are about to no longer resemble regular init calls. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: James Morris --- security/security.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/security/security.c b/security/security.c index 892fe6b691cf..41a5da2c7faf 100644 --- a/security/security.c +++ b/security/security.c @@ -30,8 +30,6 @@ #include #include -#include - #define MAX_LSM_EVM_XATTR 2 /* Maximum number of letters for an LSM name string */ @@ -47,17 +45,13 @@ static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = static void __init do_security_initcalls(void) { - int ret; initcall_t call; initcall_entry_t *ce; ce = __start_lsm_info; - trace_initcall_level("security"); while (ce < __end_lsm_info) { call = initcall_from_entry(ce); - trace_initcall_start(call); - ret = call(); - trace_initcall_finish(call, ret); + call(); ce++; } } From patchwork Tue Oct 2 00:54:38 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622929 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A47C1175A for ; Tue, 2 Oct 2018 00:56:45 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8FCE228684 for ; Tue, 2 Oct 2018 00:56:45 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 836F1286C5; Tue, 2 Oct 2018 00:56:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 11C3A28684 for ; Tue, 2 Oct 2018 00:56:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726811AbeJBHhM (ORCPT ); Tue, 2 Oct 2018 03:37:12 -0400 Received: from mail-io1-f67.google.com ([209.85.166.67]:44157 "EHLO mail-io1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726758AbeJBHfn (ORCPT ); Tue, 2 Oct 2018 03:35:43 -0400 Received: by mail-io1-f67.google.com with SMTP id x26-v6so232127iog.11 for ; Mon, 01 Oct 2018 17:55:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=BVWMrSfJ2AOZ0A0KwCR2pOLnq5busYj1TGlJinCC/UA=; b=IQslETTmaX/vE5TiqMHEBMFTcvf++gvoVEM55S5sv4IS80a+PZDCyavQUjLOI7nRO2 PcSyUD2v6XGoT6mUziVeb5w0qnYGZe4qSqoi+YyY7dmz7Qrx4NKzVPi1XyRas+fxzhOe KEU6kbs7mLQ3bPppC1KWl7vTYtiNrraEk2NIQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=BVWMrSfJ2AOZ0A0KwCR2pOLnq5busYj1TGlJinCC/UA=; b=GO/AJ9Vd0I2atbZcu0fQ9yAP+jPERA7vBV/VOhlUCaeB5ELTy2jRsPKoqQMXCVOcOz cCa7EK7hEUoirPk2TP8hteiwCG712SkeksAR06plmhbf37gvldNzaZM+FEv5k6APhEiD oJwYQdhlnThWe807JJntHWpyu/HP4hGqeA00NHNbWuW7X5RhMP3MbSH7koX1+ZJP9fUw n8WU3HMEBFk2fH5ebdsyjapm/lu7Qg3YS3O+pzPMzv5/sPc5mDROsY/REn6SPVodqavY qp4qVbdYQbufMN/UwbySXICZfNa410qSqkCOOXExeZ1J68gPsrcj6lpsVSc5WzXhbuxd h5CA== X-Gm-Message-State: ABuFfoi3kGCNRfwgVeKmCEVaJBpyC7y5yN/Ry4+V5tm5uVu24iitKVBd flgCuEC7TQ5iwq5lB6nYc7J1VA== X-Google-Smtp-Source: ACcGV60/2S6VYSbbTOmm3k8+ev4lgfSXZIgG1zOt9QOuKWL6FZqCOzj3wlk4Bt9Bi0I6bYC8eJoj7w== X-Received: by 2002:a62:9c8c:: with SMTP id u12-v6mr13890909pfk.162.1538441714659; Mon, 01 Oct 2018 17:55:14 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id l16-v6sm27663155pfj.179.2018.10.01.17.55.10 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 17:55:13 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 05/32] LSM: Convert from initcall to struct lsm_info Date: Mon, 1 Oct 2018 17:54:38 -0700 Message-Id: <20181002005505.6112-6-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP In preparation for doing more interesting LSM init probing, this converts the existing initcall system into an explicit call into a function pointer from a section-collected struct lsm_info array. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: James Morris Reviewed-by: John Johansen --- include/linux/init.h | 2 -- include/linux/lsm_hooks.h | 12 ++++++++++++ include/linux/module.h | 1 - security/integrity/iint.c | 1 + security/security.c | 14 +++++--------- 5 files changed, 18 insertions(+), 12 deletions(-) diff --git a/include/linux/init.h b/include/linux/init.h index 77636539e77c..9c2aba1dbabf 100644 --- a/include/linux/init.h +++ b/include/linux/init.h @@ -133,7 +133,6 @@ static inline initcall_t initcall_from_entry(initcall_entry_t *entry) #endif extern initcall_entry_t __con_initcall_start[], __con_initcall_end[]; -extern initcall_entry_t __start_lsm_info[], __end_lsm_info[]; /* Used for contructor calls. */ typedef void (*ctor_fn_t)(void); @@ -236,7 +235,6 @@ extern bool initcall_debug; static exitcall_t __exitcall_##fn __exit_call = fn #define console_initcall(fn) ___define_initcall(fn,, .con_initcall) -#define security_initcall(fn) ___define_initcall(fn,, .lsm_info) struct obs_kernel_param { const char *str; diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 97a020c616ad..d13059feca09 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2039,6 +2039,18 @@ extern char *lsm_names; extern void security_add_hooks(struct security_hook_list *hooks, int count, char *lsm); +struct lsm_info { + int (*init)(void); /* Required. */ +}; + +extern struct lsm_info __start_lsm_info[], __end_lsm_info[]; + +#define security_initcall(lsm) \ + static struct lsm_info __lsm_##lsm \ + __used __section(.lsm_info.init) \ + __aligned(sizeof(unsigned long)) \ + = { .init = lsm, } + #ifdef CONFIG_SECURITY_SELINUX_DISABLE /* * Assuring the safety of deleting a security module is up to diff --git a/include/linux/module.h b/include/linux/module.h index f807f15bebbe..264979283756 100644 --- a/include/linux/module.h +++ b/include/linux/module.h @@ -123,7 +123,6 @@ extern void cleanup_module(void); #define late_initcall_sync(fn) module_init(fn) #define console_initcall(fn) module_init(fn) -#define security_initcall(fn) module_init(fn) /* Each module must use one module_init(). */ #define module_init(initfn) \ diff --git a/security/integrity/iint.c b/security/integrity/iint.c index 5a6810041e5c..70d21b566955 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -22,6 +22,7 @@ #include #include #include +#include #include "integrity.h" static struct rb_root integrity_iint_tree = RB_ROOT; diff --git a/security/security.c b/security/security.c index 41a5da2c7faf..e74f46fba591 100644 --- a/security/security.c +++ b/security/security.c @@ -43,16 +43,12 @@ char *lsm_names; static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = CONFIG_DEFAULT_SECURITY; -static void __init do_security_initcalls(void) +static void __init major_lsm_init(void) { - initcall_t call; - initcall_entry_t *ce; + struct lsm_info *lsm; - ce = __start_lsm_info; - while (ce < __end_lsm_info) { - call = initcall_from_entry(ce); - call(); - ce++; + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + lsm->init(); } } @@ -82,7 +78,7 @@ int __init security_init(void) /* * Load all the remaining security modules. */ - do_security_initcalls(); + major_lsm_init(); return 0; } From patchwork Tue Oct 2 00:54:39 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622901 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 32C87175A for ; Tue, 2 Oct 2018 00:55:22 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1650F28684 for ; Tue, 2 Oct 2018 00:55:22 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0A10D286C4; Tue, 2 Oct 2018 00:55:22 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 66EC028684 for ; Tue, 2 Oct 2018 00:55:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726936AbeJBHfr (ORCPT ); Tue, 2 Oct 2018 03:35:47 -0400 Received: from mail-io1-f65.google.com ([209.85.166.65]:37593 "EHLO mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726867AbeJBHfp (ORCPT ); Tue, 2 Oct 2018 03:35:45 -0400 Received: by mail-io1-f65.google.com with SMTP id v14-v6so258459iob.4 for ; Mon, 01 Oct 2018 17:55:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=gG7fP03F21tgUMWk9E9Lg0ELdTbgx+Rg7rsJOACjtKg=; b=lwChBYuUUO53msx8HwqFyzkPyKKoxSUsfFKckmTk5AqTJSHfXm4tTflcZgekJUNtBn c+GNJxJ+6WEzYgfx7cB9iLdfCt92FpVEdY2VigBTt6YKNEhxxeNuXpEXXKWz8jVJtkml J/+tx9orXictuWvXxuIHrnSO8MPjwK57I+Vko= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=gG7fP03F21tgUMWk9E9Lg0ELdTbgx+Rg7rsJOACjtKg=; b=CrVJ5a5pxMsulQ5VTPk7XkbUtFHcqI7FpKs2qebJMBpjS5f/6RZVzkAJw7gK97ezdT oTGmcFvjClaVe5zg2Q9m4VX5N8A4x8woXwnLsV4R6r5uwiZOvpxf1iYKVwhfcmE7vBYf 2bpQE80ZbVZR67BgFPalTQAdw7jTdIe89+cjBI5oSsW9SCOVlxeiln4SB16zyzVsXKZQ RcuTKXQhFTCyHf0tjVqty0FOChyeYabQ/6wXyaApd8xbE4BV9jcF6viodvUqRZNxErrA igYjr3pAhRTIs7CEtDqgRV4LunPgEUjwEb/xAmNGY5LS/uFAf92rflA0LeaXPASPS5Vs CIiQ== X-Gm-Message-State: ABuFfoiq5Q3r+t+kpw820Gyj2tielmfDUNRmZOzSgXBbMV9/ZPfnTNe7 0IAa03sMyCIa5zk8LzzaOPlyKg== X-Google-Smtp-Source: ACcGV60p1VBpbHTUn7qlY+Hi8MBYbvV8514mUpCobdJC0dHVTBX5x3ZHCTCig4ODZb+xh59BpdpJNg== X-Received: by 2002:a17:902:d20a:: with SMTP id t10-v6mr14358227ply.256.1538441716381; Mon, 01 Oct 2018 17:55:16 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id o62-v6sm19793232pfb.0.2018.10.01.17.55.10 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 17:55:13 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 06/32] vmlinux.lds.h: Move LSM_TABLE into INIT_DATA Date: Mon, 1 Oct 2018 17:54:39 -0700 Message-Id: <20181002005505.6112-7-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Since the struct lsm_info table is not an initcall, we can just move it into INIT_DATA like all the other tables. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: John Johansen Reviewed-by: James Morris --- arch/arc/kernel/vmlinux.lds.S | 1 - arch/arm/kernel/vmlinux-xip.lds.S | 1 - arch/arm64/kernel/vmlinux.lds.S | 1 - arch/h8300/kernel/vmlinux.lds.S | 1 - arch/microblaze/kernel/vmlinux.lds.S | 2 -- arch/powerpc/kernel/vmlinux.lds.S | 2 -- arch/um/include/asm/common.lds.S | 2 -- arch/xtensa/kernel/vmlinux.lds.S | 1 - include/asm-generic/vmlinux.lds.h | 24 +++++++++++------------- 9 files changed, 11 insertions(+), 24 deletions(-) diff --git a/arch/arc/kernel/vmlinux.lds.S b/arch/arc/kernel/vmlinux.lds.S index f35ed578e007..8fb16bdabdcf 100644 --- a/arch/arc/kernel/vmlinux.lds.S +++ b/arch/arc/kernel/vmlinux.lds.S @@ -71,7 +71,6 @@ SECTIONS INIT_SETUP(L1_CACHE_BYTES) INIT_CALLS CON_INITCALL - SECURITY_INITCALL } .init.arch.info : { diff --git a/arch/arm/kernel/vmlinux-xip.lds.S b/arch/arm/kernel/vmlinux-xip.lds.S index 3593d5c1acd2..8c74037ade22 100644 --- a/arch/arm/kernel/vmlinux-xip.lds.S +++ b/arch/arm/kernel/vmlinux-xip.lds.S @@ -96,7 +96,6 @@ SECTIONS INIT_SETUP(16) INIT_CALLS CON_INITCALL - SECURITY_INITCALL INIT_RAM_FS } diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S index 605d1b60469c..7d23d591b03c 100644 --- a/arch/arm64/kernel/vmlinux.lds.S +++ b/arch/arm64/kernel/vmlinux.lds.S @@ -166,7 +166,6 @@ SECTIONS INIT_SETUP(16) INIT_CALLS CON_INITCALL - SECURITY_INITCALL INIT_RAM_FS *(.init.rodata.* .init.bss) /* from the EFI stub */ } diff --git a/arch/h8300/kernel/vmlinux.lds.S b/arch/h8300/kernel/vmlinux.lds.S index 35716a3048de..49f716c0a1df 100644 --- a/arch/h8300/kernel/vmlinux.lds.S +++ b/arch/h8300/kernel/vmlinux.lds.S @@ -56,7 +56,6 @@ SECTIONS __init_begin = .; INIT_TEXT_SECTION(4) INIT_DATA_SECTION(4) - SECURITY_INIT __init_end = .; _edata = . ; _begin_data = LOADADDR(.data); diff --git a/arch/microblaze/kernel/vmlinux.lds.S b/arch/microblaze/kernel/vmlinux.lds.S index 289d0e7f3e3a..e1f3e8741292 100644 --- a/arch/microblaze/kernel/vmlinux.lds.S +++ b/arch/microblaze/kernel/vmlinux.lds.S @@ -117,8 +117,6 @@ SECTIONS { CON_INITCALL } - SECURITY_INIT - __init_end_before_initramfs = .; .init.ramfs : AT(ADDR(.init.ramfs) - LOAD_OFFSET) { diff --git a/arch/powerpc/kernel/vmlinux.lds.S b/arch/powerpc/kernel/vmlinux.lds.S index 07ae018e550e..105a976323aa 100644 --- a/arch/powerpc/kernel/vmlinux.lds.S +++ b/arch/powerpc/kernel/vmlinux.lds.S @@ -212,8 +212,6 @@ SECTIONS CON_INITCALL } - SECURITY_INIT - . = ALIGN(8); __ftr_fixup : AT(ADDR(__ftr_fixup) - LOAD_OFFSET) { __start___ftr_fixup = .; diff --git a/arch/um/include/asm/common.lds.S b/arch/um/include/asm/common.lds.S index 7adb4e6b658a..4049f2c46387 100644 --- a/arch/um/include/asm/common.lds.S +++ b/arch/um/include/asm/common.lds.S @@ -53,8 +53,6 @@ CON_INITCALL } - SECURITY_INIT - .exitcall : { __exitcall_begin = .; *(.exitcall.exit) diff --git a/arch/xtensa/kernel/vmlinux.lds.S b/arch/xtensa/kernel/vmlinux.lds.S index a1c3edb8ad56..b727b18a68ac 100644 --- a/arch/xtensa/kernel/vmlinux.lds.S +++ b/arch/xtensa/kernel/vmlinux.lds.S @@ -197,7 +197,6 @@ SECTIONS INIT_SETUP(XCHAL_ICACHE_LINESIZE) INIT_CALLS CON_INITCALL - SECURITY_INITCALL INIT_RAM_FS } diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h index 5079a969e612..b31ea8bdfef9 100644 --- a/include/asm-generic/vmlinux.lds.h +++ b/include/asm-generic/vmlinux.lds.h @@ -203,6 +203,15 @@ #define EARLYCON_TABLE() #endif +#ifdef CONFIG_SECURITY +#define LSM_TABLE() . = ALIGN(8); \ + __start_lsm_info = .; \ + KEEP(*(.lsm_info.init)) \ + __end_lsm_info = .; +#else +#define LSM_TABLE() +#endif + #define ___OF_TABLE(cfg, name) _OF_TABLE_##cfg(name) #define __OF_TABLE(cfg, name) ___OF_TABLE(cfg, name) #define OF_TABLE(cfg, name) __OF_TABLE(IS_ENABLED(cfg), name) @@ -597,7 +606,8 @@ IRQCHIP_OF_MATCH_TABLE() \ ACPI_PROBE_TABLE(irqchip) \ ACPI_PROBE_TABLE(timer) \ - EARLYCON_TABLE() + EARLYCON_TABLE() \ + LSM_TABLE() #define INIT_TEXT \ *(.init.text .init.text.*) \ @@ -786,17 +796,6 @@ KEEP(*(.con_initcall.init)) \ __con_initcall_end = .; -#define SECURITY_INITCALL \ - __start_lsm_info = .; \ - KEEP(*(.lsm_info.init)) \ - __end_lsm_info = .; - -/* Older linker script style for security init. */ -#define SECURITY_INIT \ - .lsm_info.init : AT(ADDR(.lsm_info.init) - LOAD_OFFSET) { \ - LSM_INFO \ - } - #ifdef CONFIG_BLK_DEV_INITRD #define INIT_RAM_FS \ . = ALIGN(4); \ @@ -963,7 +962,6 @@ INIT_SETUP(initsetup_align) \ INIT_CALLS \ CON_INITCALL \ - SECURITY_INITCALL \ INIT_RAM_FS \ } From patchwork Tue Oct 2 00:54:40 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622921 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 44B16174A for ; Tue, 2 Oct 2018 00:56:23 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2F5C428684 for ; Tue, 2 Oct 2018 00:56:23 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 22548286C5; Tue, 2 Oct 2018 00:56:23 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B189628684 for ; Tue, 2 Oct 2018 00:56:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726513AbeJBHft (ORCPT ); Tue, 2 Oct 2018 03:35:49 -0400 Received: from mail-it1-f195.google.com ([209.85.166.195]:53242 "EHLO mail-it1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726955AbeJBHfs (ORCPT ); Tue, 2 Oct 2018 03:35:48 -0400 Received: by mail-it1-f195.google.com with SMTP id 134-v6so982756itz.2 for ; Mon, 01 Oct 2018 17:55:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=BkVHY8L5VMquzw4EbJs5ZAxEkxvYW2nhxdXmAR5GSBo=; b=aMi+Iu9/VPcFPniGXBJcDUJYSpk0wtgR3n2VCgbFYNVCbvTD0eLwjXoMmbzadwen6I drTizrTK04r+VOchP38UyklzrPiVu2BtjY0o22p0VuPbQDLth4s28cVKvctC0qP4xB8h FGRnsaR1DbRocxwPBOLpgbJg/qDgtJVK9iivc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=BkVHY8L5VMquzw4EbJs5ZAxEkxvYW2nhxdXmAR5GSBo=; b=qvgCWEJgqiu9eU13dFyX02rOUbhgUdeHfkUw9wemMhYWUaaHc8GNy2DolzrFN5m9Bk BBYVaoUGSVciecKNpLR98hwwzNMFPmCY1wfw0KJgAV6dj3JeuRVeln0VA7knkd/Obb3V L9dHAcRafGh6LPwKQsf163FWyZgD+eEvo20b5g+NGOsd62Uw1oqbZ51SZ/tgJ/rQxIqK 009mAPj/JIJUMQwAuZxQh8EiX6/3vecnPkwa5ThqrBH4YI3ZCJmbbJE5uGUNhvEbP0Ce IkYjtvHvsMRD3TE3apzJ8pRv++UHyEKhMaUKXs+/B8Uy5ZxryS04bseEh5N2Kcg53Yrq xa/w== X-Gm-Message-State: ABuFfogpobYI71Q8L9KHG0SkHceiIolaKzeR2vXqRB2B0MuQDzTFtZ7R Z+2DW9UtDSrjpUer4Nt2JpoWmg== X-Google-Smtp-Source: ACcGV60cvQbuRXcCrQBRhMB4s+ZySEpEQGyQmlQjHFpsbngRJu8uZxmQ+ceHChInmNcQ5jGtoe5kOg== X-Received: by 2002:a63:2066:: with SMTP id r38-v6mr6932512pgm.289.1538441719054; Mon, 01 Oct 2018 17:55:19 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id k71-v6sm18659062pge.44.2018.10.01.17.55.11 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 17:55:13 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 07/32] LSM: Convert security_initcall() into DEFINE_LSM() Date: Mon, 1 Oct 2018 17:54:40 -0700 Message-Id: <20181002005505.6112-8-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Instead of using argument-based initializers, switch to defining the contents of struct lsm_info on a per-LSM basis. This also drops the final use of the now inaccurate "initcall" naming. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: James Morris --- include/linux/lsm_hooks.h | 5 ++--- security/apparmor/lsm.c | 4 +++- security/integrity/iint.c | 4 +++- security/selinux/hooks.c | 4 +++- security/smack/smack_lsm.c | 4 +++- security/tomoyo/tomoyo.c | 4 +++- 6 files changed, 17 insertions(+), 8 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index d13059feca09..9c6b4198ff5a 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2045,11 +2045,10 @@ struct lsm_info { extern struct lsm_info __start_lsm_info[], __end_lsm_info[]; -#define security_initcall(lsm) \ +#define DEFINE_LSM(lsm) \ static struct lsm_info __lsm_##lsm \ __used __section(.lsm_info.init) \ - __aligned(sizeof(unsigned long)) \ - = { .init = lsm, } + __aligned(sizeof(unsigned long)) #ifdef CONFIG_SECURITY_SELINUX_DISABLE /* diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 8b8b70620bbe..c4863956c832 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1606,4 +1606,6 @@ static int __init apparmor_init(void) return error; } -security_initcall(apparmor_init); +DEFINE_LSM(apparmor) = { + .init = apparmor_init, +}; diff --git a/security/integrity/iint.c b/security/integrity/iint.c index 70d21b566955..94e8e1820748 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -175,7 +175,9 @@ static int __init integrity_iintcache_init(void) 0, SLAB_PANIC, init_once); return 0; } -security_initcall(integrity_iintcache_init); +DEFINE_LSM(integrity) = { + .init = integrity_iintcache_init, +}; /* diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ad9a9b8e9979..6ca2e89ddbd6 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7202,7 +7202,9 @@ void selinux_complete_init(void) /* SELinux requires early initialization in order to label all processes and objects when they are created. */ -security_initcall(selinux_init); +DEFINE_LSM(selinux) = { + .init = selinux_init, +}; #if defined(CONFIG_NETFILTER) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 340fc30ad85d..c62e26939a69 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4882,4 +4882,6 @@ static __init int smack_init(void) * Smack requires early initialization in order to label * all processes and objects when they are created. */ -security_initcall(smack_init); +DEFINE_LSM(smack) = { + .init = smack_init, +}; diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 9f932e2d6852..b2d833999910 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -550,4 +550,6 @@ static int __init tomoyo_init(void) return 0; } -security_initcall(tomoyo_init); +DEFINE_LSM(tomoyo) = { + .init = tomoyo_init, +}; From patchwork Tue Oct 2 00:54:41 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622927 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A57DD174A for ; Tue, 2 Oct 2018 00:56:42 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 917E528684 for ; Tue, 2 Oct 2018 00:56:42 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8563B286C5; Tue, 2 Oct 2018 00:56:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 232EA28684 for ; Tue, 2 Oct 2018 00:56:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726762AbeJBHfo (ORCPT ); Tue, 2 Oct 2018 03:35:44 -0400 Received: from mail-it1-f196.google.com ([209.85.166.196]:50898 "EHLO mail-it1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726803AbeJBHfo (ORCPT ); Tue, 2 Oct 2018 03:35:44 -0400 Received: by mail-it1-f196.google.com with SMTP id j81-v6so1000587ite.0 for ; Mon, 01 Oct 2018 17:55:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=6nN6g4PbGutmb0/T7yPnm6eCRi6kQ3RGQm5QiHIoyDE=; b=C1/uG4P4lFW9xwxw7M+GE7xFaDK0Es5Qf4u+4oGmAbkm04HpeIdXwa+FB7S+Kv61z8 Y9fIzZ1SOUeyVrK7m74+9m+mnmOOCgAz3ZO3RXrQ/rdwYUnZLVMGDpfYtr5GeCgQ/anD CQyi64TGWagRnWPW+Gro5pFOVIDgyZ8NzQXOU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=6nN6g4PbGutmb0/T7yPnm6eCRi6kQ3RGQm5QiHIoyDE=; b=TSMHpfc27BZomM6yhfglVBeWaUaN5hWnlpKx/DRhBMPja1/t0Zff8JG48Ivjoozh65 uh5xrMoxGNaYGxN6iQ1HwXSL5Be/zcjxddSoAVwySec2+3GVMZFTLqvClwB/5dPvltRL tRiRHfZW6PALDPakiXFUDIs9fLp6RQgd9K0/nIA/JOnB/di9hr5Ln2g/GiEgEysBDqht X+kJfsudSiQMm8EwhCen9Au1rOAE7ZRt8qDXNO4dLuHnXLExnxFVurjMHQRSJFRh9rbG AgoiU/mgIENIITrRJek2MgjGIDPn2Mndj1TWoPeCSH+9rap91Wm8DNpheQcPL2P6imxN 4RUA== X-Gm-Message-State: ABuFfoh7b/h5SIWMMSrBeLP9jt0ZVf6awziOl/D/cG6My24Zzpp/fzGH 4/uhHPbYMXyFsSPaS8Wuqs+llA== X-Google-Smtp-Source: ACcGV62s5p9uiL/K/99NeDG1Xp9iKKn1Hp6vc9a1oSnfKClbmfDEbYq7OF8DSg9ww2ysETgI3EiCKw== X-Received: by 2002:a65:498b:: with SMTP id r11-v6mr12645840pgs.153.1538441715497; Mon, 01 Oct 2018 17:55:15 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id b3-v6sm20582919pgm.74.2018.10.01.17.55.11 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 17:55:13 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 08/32] LSM: Record LSM name in struct lsm_info Date: Mon, 1 Oct 2018 17:54:41 -0700 Message-Id: <20181002005505.6112-9-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP In preparation for making LSM selections outside of the LSMs, include the name of LSMs in struct lsm_info. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + security/apparmor/lsm.c | 1 + security/integrity/iint.c | 1 + security/selinux/hooks.c | 1 + security/smack/smack_lsm.c | 1 + security/tomoyo/tomoyo.c | 1 + 6 files changed, 6 insertions(+) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 9c6b4198ff5a..ae159b02f3ab 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2040,6 +2040,7 @@ extern void security_add_hooks(struct security_hook_list *hooks, int count, char *lsm); struct lsm_info { + const char *name; /* Required. */ int (*init)(void); /* Required. */ }; diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index c4863956c832..dca4b7dbf368 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1607,5 +1607,6 @@ static int __init apparmor_init(void) } DEFINE_LSM(apparmor) = { + .name = "apparmor", .init = apparmor_init, }; diff --git a/security/integrity/iint.c b/security/integrity/iint.c index 94e8e1820748..1ea05da2323d 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -176,6 +176,7 @@ static int __init integrity_iintcache_init(void) return 0; } DEFINE_LSM(integrity) = { + .name = "integrity", .init = integrity_iintcache_init, }; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 6ca2e89ddbd6..9651bccae270 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7203,6 +7203,7 @@ void selinux_complete_init(void) /* SELinux requires early initialization in order to label all processes and objects when they are created. */ DEFINE_LSM(selinux) = { + .name = "selinux", .init = selinux_init, }; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index c62e26939a69..2fb56bcf1316 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4883,5 +4883,6 @@ static __init int smack_init(void) * all processes and objects when they are created. */ DEFINE_LSM(smack) = { + .name = "smack", .init = smack_init, }; diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index b2d833999910..1b5b5097efd7 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -551,5 +551,6 @@ static int __init tomoyo_init(void) } DEFINE_LSM(tomoyo) = { + .name = "tomoyo", .init = tomoyo_init, }; From patchwork Tue Oct 2 00:54:42 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622919 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 59B51174A for ; Tue, 2 Oct 2018 00:56:22 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4555F28684 for ; Tue, 2 Oct 2018 00:56:22 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3975B286C5; Tue, 2 Oct 2018 00:56:22 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D11FF28684 for ; Tue, 2 Oct 2018 00:56:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726967AbeJBHfu (ORCPT ); Tue, 2 Oct 2018 03:35:50 -0400 Received: from mail-io1-f68.google.com ([209.85.166.68]:46036 "EHLO mail-io1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726912AbeJBHfr (ORCPT ); Tue, 2 Oct 2018 03:35:47 -0400 Received: by mail-io1-f68.google.com with SMTP id e12-v6so229966iok.12 for ; Mon, 01 Oct 2018 17:55:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=coT3X8tVSAJpPw1SxEOHYVe3MlpWDyaK1fjOEndGqVU=; b=Yyh9c4r8HcXrwZjSirhotaTthk0NLxyrtfg2GQ7LiwXyRWVrGXiqMbqkV3uB+JQeHX Ky4m5kQaHYTjykplveV9uXn+Jr4rkzA1xy9fT5MN/3FZAWAL25XsEqeC4Ivn5+OM24dA Qjyc28qKorbF5wVPtDI+GqrsRr5cj1zQEAEFY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=coT3X8tVSAJpPw1SxEOHYVe3MlpWDyaK1fjOEndGqVU=; b=ML9nimndGToTatxIAXnadzRc4r8rJ4jNM54zLSU0Xxj/lQ2IrNp8BMK6fP3LLLkNRl rHy3zKEUn/uco43VPiOQ4aL3eI9ttiJFDOXJfn4XyOMx2Zl8gNYIyYDUa5LhDZu/DPI3 TrwUzpWLznlgkYp+iqYLzYXY8gbXp+GD2n7tmLx+ikmh/Ujja2iATN44m6gkUXvTcS3D T/SeEa2puRcT1faFJ5789r2Zr3vrSPynBANenlPnnyKlJCSeOXZ8WdfnPzFwicA2aIGx 6tNzfE2O4mCPkjzUTnV/pb5cF3mz9DH4K3IJDP/XOgKjczWqglZouU96+FVFL2ipUYrY vqMA== X-Gm-Message-State: ABuFfog1U6Thu1ekdtcRcspCM4o0mJ8G8dXfafVrIhyT/2nNHnvJauYI 21/vqvpUetJQ3XjUfNe0olsETg== X-Google-Smtp-Source: ACcGV63tp0dya/BwK7kLX+SamR9uh0bF+urMU28li1ahwLqBO+PzK9MSvE7XVoKBGj/2VRv+EfxjRg== X-Received: by 2002:a17:902:9f8c:: with SMTP id g12-v6mr14307634plq.309.1538441718186; Mon, 01 Oct 2018 17:55:18 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id a2-v6sm17051135pgc.68.2018.10.01.17.55.12 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 17:55:13 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 09/32] LSM: Provide init debugging infrastructure Date: Mon, 1 Oct 2018 17:54:42 -0700 Message-Id: <20181002005505.6112-10-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Booting with "lsm.debug" will report future details on how LSM ordering decisions are being made. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: John Johansen Reviewed-by: James Morris --- .../admin-guide/kernel-parameters.txt | 2 ++ security/security.c | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 9871e649ffef..32d323ee9218 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2274,6 +2274,8 @@ ltpc= [NET] Format: ,, + lsm.debug [SECURITY] Enable LSM initialization debugging output. + machvec= [IA-64] Force the use of a particular machine-vector (machvec) in a generic kernel. Example: machvec=hpzx1_swiotlb diff --git a/security/security.c b/security/security.c index e74f46fba591..395f804f6a91 100644 --- a/security/security.c +++ b/security/security.c @@ -12,6 +12,8 @@ * (at your option) any later version. */ +#define pr_fmt(fmt) "LSM: " fmt + #include #include #include @@ -43,11 +45,19 @@ char *lsm_names; static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = CONFIG_DEFAULT_SECURITY; +static __initdata bool debug; +#define init_debug(...) \ + do { \ + if (debug) \ + pr_info(__VA_ARGS__); \ + } while (0) + static void __init major_lsm_init(void) { struct lsm_info *lsm; for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + init_debug("initializing %s\n", lsm->name); lsm->init(); } } @@ -91,6 +101,14 @@ static int __init choose_lsm(char *str) } __setup("security=", choose_lsm); +/* Enable LSM order debugging. */ +static int __init enable_debug(char *str) +{ + debug = true; + return 1; +} +__setup("lsm.debug", enable_debug); + static bool match_last_lsm(const char *list, const char *lsm) { const char *last; From patchwork Tue Oct 2 00:54:43 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622925 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9EA58175A for ; Tue, 2 Oct 2018 00:56:39 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8AB2828684 for ; Tue, 2 Oct 2018 00:56:39 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7DD87286C5; Tue, 2 Oct 2018 00:56:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1078828684 for ; Tue, 2 Oct 2018 00:56:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726579AbeJBHhG (ORCPT ); Tue, 2 Oct 2018 03:37:06 -0400 Received: from mail-it1-f196.google.com ([209.85.166.196]:54024 "EHLO mail-it1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726811AbeJBHfp (ORCPT ); Tue, 2 Oct 2018 03:35:45 -0400 Received: by mail-it1-f196.google.com with SMTP id q70-v6so977591itb.3 for ; Mon, 01 Oct 2018 17:55:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=qfu2i5vCbLXUhEgxVTjIKQVSKkT0aaheZInMAAU7pCg=; b=EN7ERBx7G3tMC/5w6RjPKfD+AauITpVAZP0y6FiAaakJrL+elpACCvX/EujWWyfkyV CJdnUgg7PIj75Z0CheloOsJ6M+vE8XPxuapNzS7I5lI6yfFOE1E0GXdivGI3mKpy5L72 iGz+2LqYpFV5uD7Yaa1RCBrFqchmdl9z84roM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=qfu2i5vCbLXUhEgxVTjIKQVSKkT0aaheZInMAAU7pCg=; b=q1IwFGUwZmzJjP8+fAJhKYOyUTokrC4bl8LPqiTozqpg9O8aGivu6NLJfiAUGKkrZh rNK6bSRX7fiAgtuqHDJyo0Oa/mfLW6esjRNvbAtLF5Smk0pzMdxluZ8u9X40dfx2tAgL WbH6H858kYgLfgQlCtyBtdpOLR0el05XeaWzMrR9I2MLGC1+/q2Miu1x9Lkort46fyBi rIP4Tp8nKwnf0qWt80YQTmZLwla55NMoE4UYtzj3L+zQQWf6KPSMabofot8mP/9DLil5 dO4JPdKpF3QmUPd7oObFcDXToltBckYGqXhd4UydTIoKfEgACiqUCFPumGU27VrWvQN9 NAtg== X-Gm-Message-State: ABuFfogGAEUQgQGGC2CZgpyMplcYXPpUBHfd65n2ymoEm57BMatgemVF YLiPYoWk/RT8Cw9LD4hPdgFFfQ== X-Google-Smtp-Source: ACcGV62l9Phm+SSQ90SYg/dGHI3gTmsMXZ4QTSA7P5mRLR1+PMsps4PiKZ/PmWjFolewbfJk43Ehog== X-Received: by 2002:a63:4e4e:: with SMTP id o14-v6mr12527508pgl.181.1538441717308; Mon, 01 Oct 2018 17:55:17 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id e7-v6sm24885837pfk.3.2018.10.01.17.55.12 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 17:55:13 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 10/32] LSM: Don't ignore initialization failures Date: Mon, 1 Oct 2018 17:54:43 -0700 Message-Id: <20181002005505.6112-11-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP LSM initialization failures have traditionally been ignored. We should at least WARN when something goes wrong. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: John Johansen --- security/security.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/security/security.c b/security/security.c index 395f804f6a91..2055af907eba 100644 --- a/security/security.c +++ b/security/security.c @@ -55,10 +55,12 @@ static __initdata bool debug; static void __init major_lsm_init(void) { struct lsm_info *lsm; + int ret; for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { init_debug("initializing %s\n", lsm->name); - lsm->init(); + ret = lsm->init(); + WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); } } From patchwork Tue Oct 2 00:54:44 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622913 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9717A174A for ; Tue, 2 Oct 2018 00:56:05 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 81A5E286C2 for ; Tue, 2 Oct 2018 00:56:05 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 74EF628684; Tue, 2 Oct 2018 00:56:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D5D5828684 for ; Tue, 2 Oct 2018 00:56:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726529AbeJBHgb (ORCPT ); Tue, 2 Oct 2018 03:36:31 -0400 Received: from mail-io1-f66.google.com ([209.85.166.66]:37610 "EHLO mail-io1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726955AbeJBHfw (ORCPT ); Tue, 2 Oct 2018 03:35:52 -0400 Received: by mail-io1-f66.google.com with SMTP id v14-v6so258851iob.4 for ; Mon, 01 Oct 2018 17:55:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=yHtJ2wuDy6KMLinmeN4owhKSAddTYrZKj9GP/zJS5B4=; b=fz8BZfZa7kysx36t19lEgnIlujgOgkFa0SDeAA5Kck4pL7Ilj1O+THG/QtOHonUxiY K70+JPGMU6Z08jJJPSPlPqluwt7rz2qA09NyJpRkKyYymVeI3WgPSLcNkbK+u9fAEX5p Lzj6gStUL6mvA/WCs1BVRY4bwyJe9Ev3pxMoA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=yHtJ2wuDy6KMLinmeN4owhKSAddTYrZKj9GP/zJS5B4=; b=msqVXgZcl267E6RweF36e95Q0XpCFdvKilDyvTgTyKvkEYQ7HH6cptflhyjv80SwLy DBw7GWXD9qju3aefUMQ7Et7HBaV1j7LzaOEGAOQ+wg/6uCA36DchP+p2TmPDsXJCNI1x fFNC8ReMRqLtB3ca6PAfJVHO215EGdvHCzSwy6vQQkAL+IiA6crVXoGTq1h6sBep6EoH Z6uUEGIvZ6Rk27r35IU1fTdsIs0fgzoMF+eMdopvfUHgtSLsGRlrl64jsyyUDBILTN6G zO6UoRGToHHmOKSNRA8AIrPwjfeqyujzYpuAjppcS/Ujkjm4oB+KZpuFpT6cAWUnhUBt xeBA== X-Gm-Message-State: ABuFfogezKSZByBcqsAyZBGNw77JFM0pbdVmBFNvJuk3y4TSZ2EIH4KH VRc3y7tCB4xcGgguWK5M25gDbw== X-Google-Smtp-Source: ACcGV62sI07MEVw1999TfYH0C4ErRRB1buRpcbCehCsIoxwtmnl3SUI6q6A9fqcJzUv2zCyVS1b6gQ== X-Received: by 2002:a62:6f43:: with SMTP id k64-v6mr13593168pfc.87.1538441723543; Mon, 01 Oct 2018 17:55:23 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id k13-v6sm13784231pff.30.2018.10.01.17.55.13 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 17:55:19 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 11/32] LSM: Introduce LSM_FLAG_LEGACY_MAJOR Date: Mon, 1 Oct 2018 17:54:44 -0700 Message-Id: <20181002005505.6112-12-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This adds a flag for the current "major" LSMs to distinguish them when we have a universal method for ordering all LSMs. It's called "legacy" since the distinction of "major" will go away in the blob-sharing world. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: John Johansen --- include/linux/lsm_hooks.h | 3 +++ security/apparmor/lsm.c | 1 + security/selinux/hooks.c | 1 + security/smack/smack_lsm.c | 1 + security/tomoyo/tomoyo.c | 1 + 5 files changed, 7 insertions(+) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index ae159b02f3ab..531e219a49b9 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2039,8 +2039,11 @@ extern char *lsm_names; extern void security_add_hooks(struct security_hook_list *hooks, int count, char *lsm); +#define LSM_FLAG_LEGACY_MAJOR BIT(0) + struct lsm_info { const char *name; /* Required. */ + unsigned long flags; /* Optional: flags describing LSM */ int (*init)(void); /* Required. */ }; diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index dca4b7dbf368..768cb539fb6c 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1608,5 +1608,6 @@ static int __init apparmor_init(void) DEFINE_LSM(apparmor) = { .name = "apparmor", + .flags = LSM_FLAG_LEGACY_MAJOR, .init = apparmor_init, }; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 9651bccae270..020886895819 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7204,6 +7204,7 @@ void selinux_complete_init(void) all processes and objects when they are created. */ DEFINE_LSM(selinux) = { .name = "selinux", + .flags = LSM_FLAG_LEGACY_MAJOR, .init = selinux_init, }; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 2fb56bcf1316..db8bc6b6d8b0 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4884,5 +4884,6 @@ static __init int smack_init(void) */ DEFINE_LSM(smack) = { .name = "smack", + .flags = LSM_FLAG_LEGACY_MAJOR, .init = smack_init, }; diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 1b5b5097efd7..09f7af130d3a 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -552,5 +552,6 @@ static int __init tomoyo_init(void) DEFINE_LSM(tomoyo) = { .name = "tomoyo", + .flags = LSM_FLAG_LEGACY_MAJOR, .init = tomoyo_init, }; From patchwork Tue Oct 2 00:54:45 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622923 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 14D29175A for ; Tue, 2 Oct 2018 00:56:30 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F362728684 for ; Tue, 2 Oct 2018 00:56:29 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E751A286C5; Tue, 2 Oct 2018 00:56:29 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8D42728684 for ; Tue, 2 Oct 2018 00:56:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726966AbeJBHgu (ORCPT ); Tue, 2 Oct 2018 03:36:50 -0400 Received: from mail-io1-f65.google.com ([209.85.166.65]:42860 "EHLO mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726872AbeJBHft (ORCPT ); Tue, 2 Oct 2018 03:35:49 -0400 Received: by mail-io1-f65.google.com with SMTP id n18-v6so241601ioa.9 for ; Mon, 01 Oct 2018 17:55:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=K8Z4hRQ9RjNB3cw7dID4X7rT0mlxEqRr67feJ2NB/9c=; b=LVblWbAN149pKjvi/TQyVOztj+MqZCELBs+pFQ9zZZ3rdPQ6OerOCyG+HZhHoBDDjl 1NVwR//kQ8OUuQWlwoAJ4UCW8/0/iPcqdVvmX1BNm/AeUZa1CEUyYmx5vPGGuWpXyxW9 +ZAoaVcHw740JE62LbcteksEmFJ+XduA8WsdE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=K8Z4hRQ9RjNB3cw7dID4X7rT0mlxEqRr67feJ2NB/9c=; b=YM4g8lWkOfZrOO1OUyzxnphPdjiUy7PjmKXmjd9cOH4//G6w93axLVjdjk6VUzobZN 2q0ZdjJYs2WwOThcVdch+gdwaCeuc2s0FzF/+7rUE4SqZYCtkP7wMpZLZskTMuHXJl8C HkZBOd7F3MEIdI8f2Ux1LCd4MjLJXGDIkyJEZ6AekoNBCFJUJ1tVfpoQJrJtW8rr2sk+ 4S0pO9d7pUNHEyvGicqWNEvGLQqu08yILWG8Ys/JknukEenzYk9LzjwDKA1RxpMMqABa w0oYwW7iwqLgIpU/mrP6Sdk4pK9vpgQyod3gIx2MjXsnlu1/wvx9RTAuzp6aGPwqIsKl 3cBQ== X-Gm-Message-State: ABuFfojeWQqjYuWVuRhNaA4hLOOtMxFLcd32GwnIsnnqfnli8VvxWVIN QuwavbV2CbkAWdVz06SXC6VdhlA09N8= X-Google-Smtp-Source: ACcGV61Yh5odpPljfpf/x5pe7VMxniMUxoCMKTJVM9vJoaM2HKQGI3bYyKYfYszwYr7bvyCBRp8WpQ== X-Received: by 2002:a62:8490:: with SMTP id k138-v6mr13802325pfd.177.1538441720500; Mon, 01 Oct 2018 17:55:20 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id z22-v6sm19576710pgk.21.2018.10.01.17.55.13 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 17:55:16 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 12/32] LSM: Provide separate ordered initialization Date: Mon, 1 Oct 2018 17:54:45 -0700 Message-Id: <20181002005505.6112-13-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This provides a place for ordered LSMs to be initialized, separate from the "major" LSMs. This is mainly a copy/paste from major_lsm_init() to ordered_lsm_init(), but it will change drastically in later patches. What is not obvious in the patch is that this change moves the integrity LSM from major_lsm_init() into ordered_lsm_init(), since it is not marked with the LSM_FLAG_LEGACY_MAJOR. As it is the only LSM in the "ordered" list, there is no reordering yet created. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: John Johansen --- security/security.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/security/security.c b/security/security.c index 2055af907eba..ebbbb672ced5 100644 --- a/security/security.c +++ b/security/security.c @@ -52,12 +52,30 @@ static __initdata bool debug; pr_info(__VA_ARGS__); \ } while (0) +static void __init ordered_lsm_init(void) +{ + struct lsm_info *lsm; + int ret; + + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) != 0) + continue; + + init_debug("initializing %s\n", lsm->name); + ret = lsm->init(); + WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); + } +} + static void __init major_lsm_init(void) { struct lsm_info *lsm; int ret; for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) + continue; + init_debug("initializing %s\n", lsm->name); ret = lsm->init(); WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); @@ -87,6 +105,9 @@ int __init security_init(void) yama_add_hooks(); loadpin_add_hooks(); + /* Load LSMs in specified order. */ + ordered_lsm_init(); + /* * Load all the remaining security modules. */ From patchwork Tue Oct 2 00:54:46 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622915 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id CD65B175A for ; Tue, 2 Oct 2018 00:56:09 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B970128684 for ; Tue, 2 Oct 2018 00:56:09 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id AD2DD286C5; Tue, 2 Oct 2018 00:56:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1B7E828684 for ; Tue, 2 Oct 2018 00:56:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726993AbeJBHgg (ORCPT ); Tue, 2 Oct 2018 03:36:36 -0400 Received: from mail-it1-f195.google.com ([209.85.166.195]:38927 "EHLO mail-it1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726991AbeJBHfv (ORCPT ); Tue, 2 Oct 2018 03:35:51 -0400 Received: by mail-it1-f195.google.com with SMTP id w200-v6so1058368itc.4 for ; Mon, 01 Oct 2018 17:55:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Od7O88ILjGHU6yw3qklE8z4x9u6hVSoQhlqZnNDtzvw=; b=M8EI0tWVCEDCe+Y+qe+Z/WJI8t7D8im8HfaGvLTdciXrU7LZ9AsjBH9Zg5Zbo8z/wX +WnxVKMkc1mk/WkhvIWukkEewzDMDrbNc+IBnsgDqMcds4PxRu9Wfvdz8Z5Kt9CWEWXK vc/bqnsc85qE+XNy2JWdhC+ToOTgpHEU9qVHU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Od7O88ILjGHU6yw3qklE8z4x9u6hVSoQhlqZnNDtzvw=; b=KusbxBkUlkBci/BZbjxhm05zfRCajLa+sKS7pxo7tWZy/hSd3xA8TfJYwD3rMaoDE2 lureu5HF5HpBkP43h0yyqJcbGWkCHutsjuQPvApGILdf7lxMALZ7dXCfSEi/74JfaxcE WdYNA1YKxyUmwkH0MX4diaTRTJz0z9eQVgUeoBH4bmW6xH3LDGUiEDaHyL4ACAWG+SJA ffvCmEIOdAe9qtdhGM6oDw6WkW2QOQg0UnmX6l3BgeY9q7sqheCzjJ7aqNUwGr8c4Jfy HoJ6HuzH4Mr4Zk5y2weq54Ti7tVfYahVPPR88nrf0AuBUGwhO4RQl2r92Bf058HoCc0B 3I6A== X-Gm-Message-State: ABuFfohHdlxmvukKWER9DOar2BidLOJKg9BS/xV4kwCg0cksx0h9E2ft Ucntw4DgfFtlOw7o5+itGmYxug== X-Google-Smtp-Source: ACcGV61jMH1pvj94hPs6bbPnXVIfG8pjI47Ty8CKBgcn1JixgvGodvLyvI+WGs7IvOdPOr6SJSqFsQ== X-Received: by 2002:a63:4a64:: with SMTP id j36-v6mr6400775pgl.168.1538441722721; Mon, 01 Oct 2018 17:55:22 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id z70-v6sm245317pgd.64.2018.10.01.17.55.13 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 17:55:19 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 13/32] LoadPin: Rename "enable" to "enforce" Date: Mon, 1 Oct 2018 17:54:46 -0700 Message-Id: <20181002005505.6112-14-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP LoadPin's "enable" setting is really about enforcement, not whether or not the LSM is using LSM hooks. Instead, split this out so that LSM enabling can be logically distinct from whether enforcement is happening (for example, the pinning happens when the LSM is enabled, but the pin is only checked when "enforce" is set). This allows LoadPin to continue to operate sanely in test environments once LSM enable/disable is centrally handled (i.e. we want LoadPin to be enabled separately from its enforcement). Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: John Johansen --- security/loadpin/Kconfig | 4 ++-- security/loadpin/loadpin.c | 21 +++++++++++---------- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/security/loadpin/Kconfig b/security/loadpin/Kconfig index dd01aa91e521..8653608a3693 100644 --- a/security/loadpin/Kconfig +++ b/security/loadpin/Kconfig @@ -10,10 +10,10 @@ config SECURITY_LOADPIN have a root filesystem backed by a read-only device such as dm-verity or a CDROM. -config SECURITY_LOADPIN_ENABLED +config SECURITY_LOADPIN_ENFORCING bool "Enforce LoadPin at boot" depends on SECURITY_LOADPIN help If selected, LoadPin will enforce pinning at boot. If not selected, it can be enabled at boot with the kernel parameter - "loadpin.enabled=1". + "loadpin.enforcing=1". diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c index 0716af28808a..d8a68a6f6fef 100644 --- a/security/loadpin/loadpin.c +++ b/security/loadpin/loadpin.c @@ -44,7 +44,7 @@ static void report_load(const char *origin, struct file *file, char *operation) kfree(pathname); } -static int enabled = IS_ENABLED(CONFIG_SECURITY_LOADPIN_ENABLED); +static int enforcing = IS_ENABLED(CONFIG_SECURITY_LOADPIN_ENFORCING); static struct super_block *pinned_root; static DEFINE_SPINLOCK(pinned_root_spinlock); @@ -60,8 +60,8 @@ static struct ctl_path loadpin_sysctl_path[] = { static struct ctl_table loadpin_sysctl_table[] = { { - .procname = "enabled", - .data = &enabled, + .procname = "enforcing", + .data = &enforcing, .maxlen = sizeof(int), .mode = 0644, .proc_handler = proc_dointvec_minmax, @@ -97,7 +97,7 @@ static void check_pinning_enforcement(struct super_block *mnt_sb) loadpin_sysctl_table)) pr_notice("sysctl registration failed!\n"); else - pr_info("load pinning can be disabled.\n"); + pr_info("enforcement can be disabled.\n"); } else pr_info("load pinning engaged.\n"); } @@ -128,7 +128,7 @@ static int loadpin_read_file(struct file *file, enum kernel_read_file_id id) /* This handles the older init_module API that has a NULL file. */ if (!file) { - if (!enabled) { + if (!enforcing) { report_load(origin, NULL, "old-api-pinning-ignored"); return 0; } @@ -151,7 +151,7 @@ static int loadpin_read_file(struct file *file, enum kernel_read_file_id id) * Unlock now since it's only pinned_root we care about. * In the worst case, we will (correctly) report pinning * failures before we have announced that pinning is - * enabled. This would be purely cosmetic. + * enforcing. This would be purely cosmetic. */ spin_unlock(&pinned_root_spinlock); check_pinning_enforcement(pinned_root); @@ -161,7 +161,7 @@ static int loadpin_read_file(struct file *file, enum kernel_read_file_id id) } if (IS_ERR_OR_NULL(pinned_root) || load_root != pinned_root) { - if (unlikely(!enabled)) { + if (unlikely(!enforcing)) { report_load(origin, file, "pinning-ignored"); return 0; } @@ -186,10 +186,11 @@ static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = { void __init loadpin_add_hooks(void) { - pr_info("ready to pin (currently %sabled)", enabled ? "en" : "dis"); + pr_info("ready to pin (currently %senforcing)\n", + enforcing ? "" : "not "); security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin"); } /* Should not be mutable after boot, so not listed in sysfs (perm == 0). */ -module_param(enabled, int, 0); -MODULE_PARM_DESC(enabled, "Pin module/firmware loading (default: true)"); +module_param(enforcing, int, 0); +MODULE_PARM_DESC(enforcing, "Enforce module/firmware pinning"); From patchwork Tue Oct 2 00:54:47 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622903 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 07979174A for ; Tue, 2 Oct 2018 00:55:30 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E838D28684 for ; Tue, 2 Oct 2018 00:55:29 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DC036286C4; Tue, 2 Oct 2018 00:55:29 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7931228684 for ; Tue, 2 Oct 2018 00:55:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727183AbeJBHfy (ORCPT ); Tue, 2 Oct 2018 03:35:54 -0400 Received: from mail-it1-f196.google.com ([209.85.166.196]:38933 "EHLO mail-it1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727194AbeJBHfx (ORCPT ); Tue, 2 Oct 2018 03:35:53 -0400 Received: by mail-it1-f196.google.com with SMTP id w200-v6so1058469itc.4 for ; Mon, 01 Oct 2018 17:55:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=GuIJ8XJ4isc39j9FCpw3e0aw5+nW65wvPHXUlrmcc7Y=; b=CuxSHfsD1cK63yfLs77GsspgNj1Sjqx+pqe1wm82ZI4DW+MB+RvKdmazurfvixfZjD usFNIZJ+i3hD1VgwaEpzWSXfBMgSbLuexR2i7RAR/Wm7hy945lR2SgzWrtWLJKpcFfGG 63/PDDWthnmD8+q2ebNMqF7yTSbz6UYababf4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=GuIJ8XJ4isc39j9FCpw3e0aw5+nW65wvPHXUlrmcc7Y=; b=aj1jBM7MSNqd3b4wW6ggvN4YzDiYiT5a49fq+FEydDJAjFP8x8OykpSAOeuQ1BA6dl Tvz7Bu9IgahSmCyZkzaH8GGi/4eSmFhpexR19xCLUbuj/aco/jO+cLP3E0ffM6oe74yd zQFqiSMe37AyXIrIFzqO7ZPLFQ9ZkwOEj3OgKcIUFyMJ7hSwYK/yffwATZz6+iGGexjr PrE+MwIyUt0rvcHUMLZ8hRNLZGrBIAjZMqUBHJSH7mFY5nxm5bhcMRMJZ1WWJfcNjSTe 4AR2uQD/U3BEhqWZ3NxN7kyKCygjkTpITVVM3E9w4ujiuI+M3eyK7a1BbHAcisCaaVDk Wmbw== X-Gm-Message-State: ABuFfoi6kwNrmI94x5e1c7taUpZ7nU9bWCyT1Fi/7YiA/4+42AZUjLoJ jCmiIuXPzYTN12Es2c8UqyFm7w== X-Google-Smtp-Source: ACcGV63rHsPCCi0ZOzevwrITA+//cgllt92R0mGqT5UZTBwzMO4V1Ca8XO1r/Muhiz1Hm9frCk5z2w== X-Received: by 2002:a65:48cc:: with SMTP id o12-v6mr12066432pgs.22.1538441724471; Mon, 01 Oct 2018 17:55:24 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id 70-v6sm22142717pfz.27.2018.10.01.17.55.13 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 17:55:19 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 14/32] LSM: Plumb visibility into optional "enabled" state Date: Mon, 1 Oct 2018 17:54:47 -0700 Message-Id: <20181002005505.6112-15-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP In preparation for lifting the "is this LSM enabled?" logic out of the individual LSMs, pass in any special enabled state tracking (as needed for SELinux, AppArmor, and LoadPin). This should be an "int" to include handling any future cases where "enabled" is exposed via sysctl which has no "bool" type. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: John Johansen --- include/linux/lsm_hooks.h | 1 + security/apparmor/lsm.c | 5 +++-- security/selinux/hooks.c | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 531e219a49b9..6ec5a0266f21 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2044,6 +2044,7 @@ extern void security_add_hooks(struct security_hook_list *hooks, int count, struct lsm_info { const char *name; /* Required. */ unsigned long flags; /* Optional: flags describing LSM */ + int *enabled; /* Optional: NULL means enabled. */ int (*init)(void); /* Required. */ }; diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 768cb539fb6c..6ace45704cb6 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1303,8 +1303,8 @@ bool aa_g_paranoid_load = true; module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO); /* Boot time disable flag */ -static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE; -module_param_named(enabled, apparmor_enabled, bool, S_IRUGO); +static int apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE; +module_param_named(enabled, apparmor_enabled, int, 0444); static int __init apparmor_enabled_setup(char *str) { @@ -1609,5 +1609,6 @@ static int __init apparmor_init(void) DEFINE_LSM(apparmor) = { .name = "apparmor", .flags = LSM_FLAG_LEGACY_MAJOR, + .enabled = &apparmor_enabled, .init = apparmor_init, }; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 020886895819..e8da99550b67 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7205,6 +7205,7 @@ void selinux_complete_init(void) DEFINE_LSM(selinux) = { .name = "selinux", .flags = LSM_FLAG_LEGACY_MAJOR, + .enabled = &selinux_enabled, .init = selinux_init, }; From patchwork Tue Oct 2 00:54:48 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622917 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9F04F175A for ; Tue, 2 Oct 2018 00:56:20 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8A2FB28684 for ; Tue, 2 Oct 2018 00:56:20 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7C820286C5; Tue, 2 Oct 2018 00:56:20 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C9BAA28684 for ; Tue, 2 Oct 2018 00:56:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726971AbeJBHgq (ORCPT ); Tue, 2 Oct 2018 03:36:46 -0400 Received: from mail-io1-f68.google.com ([209.85.166.68]:34182 "EHLO mail-io1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726966AbeJBHfu (ORCPT ); Tue, 2 Oct 2018 03:35:50 -0400 Received: by mail-io1-f68.google.com with SMTP id k19-v6so272698iom.1 for ; Mon, 01 Oct 2018 17:55:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=h/DemNszMlxITv06HPl1T5ZcPYVNjEcB12fyRq50PNM=; b=Q2zRZPBczNZpkXgSgkRVQYQ/fJ5lbaKKyPQAmtcj9rtnxBm3biUewKOonSNtv46C+h UPe83DG7JvWfCj4dOvhEoZV9t/0zCu7UNOOF5fhpViiULPtzLfO7fkBVo94TYsDr7dOz d9YAyMV84rNcaEpIJXSi2eNtDkdMzfJwNirpU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=h/DemNszMlxITv06HPl1T5ZcPYVNjEcB12fyRq50PNM=; b=p9exvFoebSwgi1pre/DX2A0Pkin82VGdtPgAMLjMjDCxgxv22zQDJuKdUuniZiaEmV o0QiAX67IzglCgSvT0gVeNFt5cYDhu6QSOilU75O4NyAWLY41S997ZJeUA5WuT54rPR7 1vWBQlLjBtVYEEvkzOjScbu5s8ZfaN3Lkv4iTdgn6mccceqgu6KX4ulUYyCDQ+M4s61l 5yVL2t84bfS31NhcyRF6NLXFZ0GI84s8OmlWcsGR4OVf95O0fEG152kPxsl1fzhT8hGO 8b19g887+K/tTyOVXsgYmes3rVO7TTggE8uqllfqp+Dc1IBvPQQ/lV1dlrnO52fCD8Ws xBgQ== X-Gm-Message-State: ABuFfohKMEq9tUKpDsFTrkRERNatmUt+XNk7as4efe95FHG/LNODjjfp 7illIDTVqtaBt5+aHBG/CD4BNQ== X-Google-Smtp-Source: ACcGV60MlYjgwL4nOcOt7NemM+Xe/pAARgqlMNHzW/xdJrQyTopdusktwPioAi58gECuXIAKkOm8Eg== X-Received: by 2002:a62:7f8c:: with SMTP id a134-v6mr13805496pfd.257.1538441721882; Mon, 01 Oct 2018 17:55:21 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id p13-v6sm1387932pfd.65.2018.10.01.17.55.15 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 17:55:19 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 15/32] LSM: Lift LSM selection out of individual LSMs Date: Mon, 1 Oct 2018 17:54:48 -0700 Message-Id: <20181002005505.6112-16-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP As a prerequisite to adjusting LSM selection logic in the future, this moves the selection logic up out of the individual major LSMs, making their init functions only run when actually enabled. This considers all LSMs enabled by default unless they specified an external "enable" variable. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: John Johansen --- include/linux/lsm_hooks.h | 1 - security/apparmor/lsm.c | 6 --- security/security.c | 84 ++++++++++++++++++++++++-------------- security/selinux/hooks.c | 10 ----- security/smack/smack_lsm.c | 3 -- security/tomoyo/tomoyo.c | 2 - 6 files changed, 53 insertions(+), 53 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 6ec5a0266f21..9ecb623fb39d 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2085,7 +2085,6 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, #define __lsm_ro_after_init __ro_after_init #endif /* CONFIG_SECURITY_WRITABLE_HOOKS */ -extern int __init security_module_enable(const char *module); extern void __init capability_add_hooks(void); #ifdef CONFIG_SECURITY_YAMA extern void __init yama_add_hooks(void); diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 6ace45704cb6..bc56b058dc75 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1542,12 +1542,6 @@ static int __init apparmor_init(void) { int error; - if (!apparmor_enabled || !security_module_enable("apparmor")) { - aa_info_message("AppArmor disabled by boot time parameter"); - apparmor_enabled = false; - return 0; - } - aa_secids_init(); error = aa_setup_dfa_engine(); diff --git a/security/security.c b/security/security.c index ebbbb672ced5..4e5e67b82b7b 100644 --- a/security/security.c +++ b/security/security.c @@ -52,33 +52,78 @@ static __initdata bool debug; pr_info(__VA_ARGS__); \ } while (0) +static bool __init is_enabled(struct lsm_info *lsm) +{ + if (!lsm->enabled || *lsm->enabled) + return true; + + return false; +} + +/* Mark an LSM's enabled flag, if it exists. */ +static void __init set_enabled(struct lsm_info *lsm, bool enabled) +{ + if (lsm->enabled) + *lsm->enabled = enabled; +} + +/* Is an LSM allowed to be initialized? */ +static bool __init lsm_allowed(struct lsm_info *lsm) +{ + /* Skip if the LSM is disabled. */ + if (!is_enabled(lsm)) + return false; + + /* Skip major-specific checks if not a major LSM. */ + if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) + return true; + + /* Disabled if this LSM isn't the chosen one. */ + if (strcmp(lsm->name, chosen_lsm) != 0) + return false; + + return true; +} + +/* Check if LSM should be enabled. Mark any that are disabled. */ +static void __init maybe_initialize_lsm(struct lsm_info *lsm) +{ + int enabled = lsm_allowed(lsm); + + /* Record enablement. */ + set_enabled(lsm, enabled); + + /* If selected, initialize the LSM. */ + if (enabled) { + int ret; + + init_debug("initializing %s\n", lsm->name); + ret = lsm->init(); + WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); + } +} + static void __init ordered_lsm_init(void) { struct lsm_info *lsm; - int ret; for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) != 0) continue; - init_debug("initializing %s\n", lsm->name); - ret = lsm->init(); - WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); + maybe_initialize_lsm(lsm); } } static void __init major_lsm_init(void) { struct lsm_info *lsm; - int ret; for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) continue; - init_debug("initializing %s\n", lsm->name); - ret = lsm->init(); - WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); + maybe_initialize_lsm(lsm); } } @@ -168,29 +213,6 @@ static int lsm_append(char *new, char **result) return 0; } -/** - * security_module_enable - Load given security module on boot ? - * @module: the name of the module - * - * Each LSM must pass this method before registering its own operations - * to avoid security registration races. This method may also be used - * to check if your LSM is currently loaded during kernel initialization. - * - * Returns: - * - * true if: - * - * - The passed LSM is the one chosen by user at boot time, - * - or the passed LSM is configured as the default and the user did not - * choose an alternate LSM at boot time. - * - * Otherwise, return false. - */ -int __init security_module_enable(const char *module) -{ - return !strcmp(module, chosen_lsm); -} - /** * security_add_hooks - Add a modules hooks to the hook lists. * @hooks: the hooks to add diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e8da99550b67..71a10fedecb3 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7133,16 +7133,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { static __init int selinux_init(void) { - if (!security_module_enable("selinux")) { - selinux_enabled = 0; - return 0; - } - - if (!selinux_enabled) { - pr_info("SELinux: Disabled at boot.\n"); - return 0; - } - pr_info("SELinux: Initializing.\n"); memset(&selinux_state, 0, sizeof(selinux_state)); diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index db8bc6b6d8b0..f243044d5a55 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4834,9 +4834,6 @@ static __init int smack_init(void) struct cred *cred; struct task_smack *tsp; - if (!security_module_enable("smack")) - return 0; - smack_inode_cache = KMEM_CACHE(inode_smack, 0); if (!smack_inode_cache) return -ENOMEM; diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 09f7af130d3a..a46f6bc1e97c 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -540,8 +540,6 @@ static int __init tomoyo_init(void) { struct cred *cred = (struct cred *) current_cred(); - if (!security_module_enable("tomoyo")) - return 0; /* register ourselves with the security framework */ security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo"); printk(KERN_INFO "TOMOYO Linux initialized\n"); From patchwork Tue Oct 2 00:54:49 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622979 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2B99D16B1 for ; Tue, 2 Oct 2018 01:06:05 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 160FE286C0 for ; Tue, 2 Oct 2018 01:06:05 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 09938286D5; Tue, 2 Oct 2018 01:06:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7A320286C0 for ; Tue, 2 Oct 2018 01:06:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726492AbeJBHqd (ORCPT ); Tue, 2 Oct 2018 03:46:33 -0400 Received: from mail-io1-f67.google.com ([209.85.166.67]:42241 "EHLO mail-io1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726715AbeJBHo6 (ORCPT ); Tue, 2 Oct 2018 03:44:58 -0400 Received: by mail-io1-f67.google.com with SMTP id n18-v6so272894ioa.9 for ; Mon, 01 Oct 2018 18:04:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=ks3HdAgDKLMMPmesm6MVfQ5et4OmzqciJ/tnMRsEDA8=; b=PU3VlaY/JJxOXfVs1rxXb/rtRH+f+o/ysjXlqktQ0scZ98ix2EBT9uYMAlSLWhHAgb kYovQAdSj5zeNBmWXdY6TAUA+LqS6IIZIwjObdlfUHccDRhlkel3XnNEFeB6cDNBrgaK 4x4+vpRp4BAl6ses/FATsmZJWY7cNA3BfcScc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=ks3HdAgDKLMMPmesm6MVfQ5et4OmzqciJ/tnMRsEDA8=; b=ZJoyoH7sFZ08GbVLyE6K+sTBhlEXlyGJVzfDxY1VDGBhiSbp+VCztPeRwTXlDUiY9f DH4/Faawam/pemYmVAk0NTL54pJPEjIwJApRv25g+wKJmn4I4OKq9/xa2sbA4suOICf4 NLs5chIIjXXFVk7n3zZR7KneDC1rdMvAS2WKOMS9Gp8+4GKisFcIkJEmW2eLeDzl0HS1 QmTFFjMNLCnSrjdcvA7pw0Vazu1+8MMp7olpFeH4Xb01MaJbXul1BoH5Dj70BOH6ekGt diKdATezk6wHvPzKxm4EnOlmiYR03cbmqn0eAOmqCfoEMS21Vj5fTRFzjSTnxeUhKGHX 8WpA== X-Gm-Message-State: ABuFfojhtKopFXumRwg8WpeMyNLHHIsCdv2pAW6cidtpAXgkfKU+zaAU TwKOrvkjQI/rSIBrvhTCEYyFGA== X-Google-Smtp-Source: ACcGV62y3FiVazsys9HJMkgofRwcIjXme51N9qYTXIuCfyzTJ5a4dq9OZMwYYg0P4bdFXsiVxkxu2Q== X-Received: by 2002:a17:902:8a89:: with SMTP id p9-v6mr14549464plo.183.1538442267459; Mon, 01 Oct 2018 18:04:27 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id 187-v6sm26488822pfu.129.2018.10.01.18.04.23 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 18:04:24 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 16/32] LSM: Prepare for arbitrary LSM enabling Date: Mon, 1 Oct 2018 17:54:49 -0700 Message-Id: <20181002005505.6112-17-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Before now, all the LSMs that did not specify an "enable" variable in their struct lsm_info were considered enabled by default. This prepares to make LSM enabling more explicit. For all LSMs without an explicit "enable" variable, a hard-coded storage location is chosen, and all LSMs without an external "enable" state have their state explicitly set to "enabled". This code appears more complex than it needs to be (comma-separated list parsing and "set" function parameter) because its use will be expanded on in the following patches to provide more explicit enabling. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: John Johansen --- security/security.c | 69 ++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 65 insertions(+), 4 deletions(-) diff --git a/security/security.c b/security/security.c index 4e5e67b82b7b..9459b4ee4fd9 100644 --- a/security/security.c +++ b/security/security.c @@ -54,17 +54,46 @@ static __initdata bool debug; static bool __init is_enabled(struct lsm_info *lsm) { - if (!lsm->enabled || *lsm->enabled) - return true; + if (WARN_ON(!lsm->enabled)) + return false; - return false; + return *lsm->enabled; } /* Mark an LSM's enabled flag, if it exists. */ -static void __init set_enabled(struct lsm_info *lsm, bool enabled) +static int lsm_enabled_true __initdata = 1; +static int lsm_enabled_false __initdata = 0; + +static void __init default_enabled(struct lsm_info *lsm, bool enabled) { + /* If storage location already set, skip this one. */ if (lsm->enabled) + return; + + /* + * When an LSM hasn't configured an enable variable, we can use + * a hard-coded location for storing the default enabled state. + */ + if (enabled) + lsm->enabled = &lsm_enabled_true; + else + lsm->enabled = &lsm_enabled_false; +} + +static void __init set_enabled(struct lsm_info *lsm, bool enabled) +{ + if (WARN_ON(!lsm->enabled)) + return; + + if (lsm->enabled == &lsm_enabled_true) { + if (!enabled) + lsm->enabled = &lsm_enabled_false; + } else if (lsm->enabled == &lsm_enabled_false) { + if (enabled) + lsm->enabled = &lsm_enabled_true; + } else { *lsm->enabled = enabled; + } } /* Is an LSM allowed to be initialized? */ @@ -127,6 +156,35 @@ static void __init major_lsm_init(void) } } +static void __init parse_lsm_enable(const char *str, + void (*set)(struct lsm_info *, bool), + bool enabled) +{ + char *sep, *name, *next; + + if (!str) + return; + + sep = kstrdup(str, GFP_KERNEL); + next = sep; + while ((name = strsep(&next, ",")) != NULL) { + struct lsm_info *lsm; + + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + if (strcmp(name, "all") == 0 || + strcmp(name, lsm->name) == 0) + set(lsm, enabled); + } + } + kfree(sep); +} + +static void __init prepare_lsm_enable(void) +{ + /* Prepare defaults. */ + parse_lsm_enable("all", default_enabled, true); +} + /** * security_init - initializes the security framework * @@ -143,6 +201,9 @@ int __init security_init(void) i++) INIT_HLIST_HEAD(&list[i]); + /* Figure out which LSMs are enabled and disabled. */ + prepare_lsm_enable(); + /* * Load minor LSMs, with the capability module always first. */ From patchwork Tue Oct 2 00:54:50 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622951 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D810E16B1 for ; Tue, 2 Oct 2018 01:04:32 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C3D1F286D1 for ; Tue, 2 Oct 2018 01:04:32 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B7761286D4; Tue, 2 Oct 2018 01:04:32 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5656C286D1 for ; Tue, 2 Oct 2018 01:04:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726748AbeJBHpB (ORCPT ); Tue, 2 Oct 2018 03:45:01 -0400 Received: from mail-it1-f195.google.com ([209.85.166.195]:52637 "EHLO mail-it1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726471AbeJBHpA (ORCPT ); Tue, 2 Oct 2018 03:45:00 -0400 Received: by mail-it1-f195.google.com with SMTP id 134-v6so1016238itz.2 for ; Mon, 01 Oct 2018 18:04:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=sVOoGnQVVxtCQukk9qvIxsFMi2TMOCjgfBDPf6jS5YQ=; b=oWMa/tn1rXNvp56NZzs7vYF4yF3oxT5MHoSS9c41PHjSgCp2ZUK64Iy0T9L3kshGCo dpda/TnhyAjx43PVZ71axdb0UYPuvx3fIb80UKBkJwKcB1R3Lrz4r9+JSk4GFQ6BFA65 iCrps6usAwk6JEQL2Ap9vDKiNcqUyIn6NhLt8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=sVOoGnQVVxtCQukk9qvIxsFMi2TMOCjgfBDPf6jS5YQ=; b=fBHaxq/AqTGnWcefo1WPKAa5hHUIJEX5jcsZPjl6Pvls+h9XxlKfLOBTAeXeWDT/a4 oS7bxQZnPEKusGwmW28PEerxs7Galk2fZtCLTGWe4f2lCbOQGkIdwuzE5iKK2AM5zRGB zbRXZL8ogdromyfC4YMJVyj9236dNT3k2GirLoUc78wqmCCaow19n0F0NlE/b8WryLaM CK/7U8RGAS5jvv7Gtsp4lf+fMnuPpyYVbZl+gihXJYzJsr+LbFBtjSlwhkUyA6dvCSWH SJD4lHDFKI3lBvrLHlxPGKSHZkmoj6PHFBuNK5oCy8CORzo0++HImfVUbS0gwjEa8U/g OjZw== X-Gm-Message-State: ABuFfogJcZLtgMNAHy/MFWmmHxCU3WuLWTgZ1Yo0wMx6gqVatreIlXcW yaNTYbJQCC271jCyb9G42ZvzJA== X-Google-Smtp-Source: ACcGV61gAfz3eq5nRwKSITgdokwgKGzhbAXBNqps58mayyW8EoJld4tsLx4//UvTSWttaRRr6tefNw== X-Received: by 2002:a63:a902:: with SMTP id u2-v6mr12305606pge.207.1538442269214; Mon, 01 Oct 2018 18:04:29 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id v2-v6sm2793786pfe.6.2018.10.01.18.04.24 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 18:04:24 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 17/32] LSM: Introduce CONFIG_LSM_ENABLE Date: Mon, 1 Oct 2018 17:54:50 -0700 Message-Id: <20181002005505.6112-18-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP To provide a set of default-enabled LSMs at boot, this introduces the new CONFIG_LSM_ENABLE. A value of "all" means all builtin LSMs are enabled by default. Any unlisted LSMs will be implicitly disabled (excepting those with LSM-specific CONFIGs for enabling/disabling). The behavior of the LSM-specific CONFIGs for SELinux are AppArmor unchanged: the default-enabled state for those LSMs remains controlled through their LSM-specific "enable" CONFIGs. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler --- include/linux/lsm_hooks.h | 2 +- security/Kconfig | 8 ++++++++ security/security.c | 4 +++- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 9ecb623fb39d..fd85637a1931 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2044,7 +2044,7 @@ extern void security_add_hooks(struct security_hook_list *hooks, int count, struct lsm_info { const char *name; /* Required. */ unsigned long flags; /* Optional: flags describing LSM */ - int *enabled; /* Optional: NULL means enabled. */ + int *enabled; /* Optional: NULL checks CONFIG_LSM_ENABLE */ int (*init)(void); /* Required. */ }; diff --git a/security/Kconfig b/security/Kconfig index 27d8b2688f75..ac23feba584d 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -276,5 +276,13 @@ config DEFAULT_SECURITY default "apparmor" if DEFAULT_SECURITY_APPARMOR default "" if DEFAULT_SECURITY_DAC +config LSM_ENABLE + string "LSMs to enable at boot time" + default "all" + help + A comma-separated list of LSMs to enable by default at boot. The + default is "all", to enable all LSM modules at boot. Any LSMs + not listed here will be disabled by default. + endmenu diff --git a/security/security.c b/security/security.c index 9459b4ee4fd9..35601000176b 100644 --- a/security/security.c +++ b/security/security.c @@ -45,6 +45,8 @@ char *lsm_names; static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = CONFIG_DEFAULT_SECURITY; +static __initconst const char * const builtin_lsm_enable = CONFIG_LSM_ENABLE; + static __initdata bool debug; #define init_debug(...) \ do { \ @@ -182,7 +184,7 @@ static void __init parse_lsm_enable(const char *str, static void __init prepare_lsm_enable(void) { /* Prepare defaults. */ - parse_lsm_enable("all", default_enabled, true); + parse_lsm_enable(builtin_lsm_enable, default_enabled, true); } /** From patchwork Tue Oct 2 00:54:51 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622949 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 61F5B16B1 for ; Tue, 2 Oct 2018 01:04:28 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 49EB5286D1 for ; Tue, 2 Oct 2018 01:04:28 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3C489286D4; Tue, 2 Oct 2018 01:04:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B402C286D1 for ; Tue, 2 Oct 2018 01:04:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726491AbeJBHo5 (ORCPT ); Tue, 2 Oct 2018 03:44:57 -0400 Received: from mail-it1-f196.google.com ([209.85.166.196]:39444 "EHLO mail-it1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726276AbeJBHo5 (ORCPT ); Tue, 2 Oct 2018 03:44:57 -0400 Received: by mail-it1-f196.google.com with SMTP id w200-v6so1095216itc.4 for ; Mon, 01 Oct 2018 18:04:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=0RYipdsIhsetP9y77Y83cY+AYnVXjoUOFr0d0L1Gup4=; b=WEfbzd0L4U24y99D5LFveDvCDTC2jDhleO7GYaIn21f52QkqSxmL7zow5OZDB6DGLy UcgA6UvB3ar3il1u9qh29ybZoPMhAWAhAtczzIcPWb19JAa5U/3mpQrhCKsLUPbIQZGJ 2YQahoVdMA460SQ0PtPTgn/N1srQmFlB322ss= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=0RYipdsIhsetP9y77Y83cY+AYnVXjoUOFr0d0L1Gup4=; b=XObr9b1bFxKZZPr4a56z1h8BpM5JOnXQh1s5nbBM4w2prycJwYI+Qkb1mIZ+jgfC5K LrrHhPd6Uh1TxVqKms3TsaDszCUV6MrO9fPLRUvAdIzBiyZtzhhYm3nRE/eq8rLV+3pX SbgxjRqwcqs1qfGDFZBleTVn7pywqsQ9ybHfmZ67CnPljjLXKztoUF6nyT3mSrcIRni2 ZFtQgLtoPP3tbdCFNYv6sVrtZHQQ9emAA/jtx+dkSj02g1Td5/qodvk2gXmce6qf2k5G HzwOPNnexpMrrVDTaJ7Ef30RwS04WAdBccpmkW0oLIdYcRyso5ubyIvCXw2/PaAcYIjJ PYCA== X-Gm-Message-State: ABuFfogU/d+9Hf+QKb8pBvCb3Zy/L6xXAEpWbU4RMPNnjAl6P4kQc2gk mumjsBuo7ZfhzxuCJzUOoAH5bQ== X-Google-Smtp-Source: ACcGV60efYAt7b30NyxgEaD1regdxKPx79Oq12am8usQIO4dJRW8ygNRFu5Dhr1PSd0MwqicM9r/SQ== X-Received: by 2002:a63:6ec4:: with SMTP id j187-v6mr12395919pgc.3.1538442265802; Mon, 01 Oct 2018 18:04:25 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id c2-v6sm19748936pfo.107.2018.10.01.18.04.23 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 18:04:24 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 18/32] LSM: Introduce lsm.enable= and lsm.disable= Date: Mon, 1 Oct 2018 17:54:51 -0700 Message-Id: <20181002005505.6112-19-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This introduces the "lsm.enable=..." and "lsm.disable=..." boot parameters which each can contain a comma-separated list of LSMs to enable or disable, respectively. The string "all" matches all LSMs. This has very similar functionality to the existing per-LSM enable handling ("apparmor.enabled=...", etc), but provides a centralized place to perform the changes. These parameters take precedent over any LSM-specific boot parameters. Disabling an LSM means it will not be considered when performing initializations. Enabling an LSM means either undoing a previous LSM-specific boot parameter disabling or a undoing a default-disabled CONFIG setting. For example: "lsm.disable=apparmor apparmor.enabled=1" will result in AppArmor being disabled. "selinux.enabled=0 lsm.enable=selinux" will result in SELinux being enabled. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler --- .../admin-guide/kernel-parameters.txt | 12 ++++++++++ security/Kconfig | 4 +++- security/security.c | 22 +++++++++++++++++++ 3 files changed, 37 insertions(+), 1 deletion(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 32d323ee9218..67c90985d2b8 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2276,6 +2276,18 @@ lsm.debug [SECURITY] Enable LSM initialization debugging output. + lsm.disable=lsm1,...,lsmN + [SECURITY] Comma-separated list of LSMs to disable + at boot time. This overrides "lsm.enable=", + CONFIG_LSM_ENABLE, and any per-LSM CONFIGs and boot + parameters. + + lsm.enable=lsm1,...,lsmN + [SECURITY] Comma-separated list of LSMs to enable + at boot time. This overrides any omissions from + CONFIG_LSM_ENABLE, and any per-LSM CONFIGs and + boot parameters. + machvec= [IA-64] Force the use of a particular machine-vector (machvec) in a generic kernel. Example: machvec=hpzx1_swiotlb diff --git a/security/Kconfig b/security/Kconfig index ac23feba584d..1e57619fd561 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -282,7 +282,9 @@ config LSM_ENABLE help A comma-separated list of LSMs to enable by default at boot. The default is "all", to enable all LSM modules at boot. Any LSMs - not listed here will be disabled by default. + not listed here will be disabled by default. This can be + changed with the "lsm.enable=" and "lsm.disable=" boot + parameters. endmenu diff --git a/security/security.c b/security/security.c index 35601000176b..3fff2d1d1ec4 100644 --- a/security/security.c +++ b/security/security.c @@ -44,6 +44,8 @@ char *lsm_names; /* Boot-time LSM user choice */ static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = CONFIG_DEFAULT_SECURITY; +static __initdata const char *chosen_lsm_enable; +static __initdata const char *chosen_lsm_disable; static __initconst const char * const builtin_lsm_enable = CONFIG_LSM_ENABLE; @@ -185,6 +187,10 @@ static void __init prepare_lsm_enable(void) { /* Prepare defaults. */ parse_lsm_enable(builtin_lsm_enable, default_enabled, true); + + /* Process "lsm.enable=" and "lsm.disable=", if given. */ + parse_lsm_enable(chosen_lsm_enable, set_enabled, true); + parse_lsm_enable(chosen_lsm_disable, set_enabled, false); } /** @@ -240,6 +246,22 @@ static int __init enable_debug(char *str) } __setup("lsm.debug", enable_debug); +/* Explicitly enable a list of LSMs. */ +static int __init enable_lsm(char *str) +{ + chosen_lsm_enable = str; + return 1; +} +__setup("lsm.enable=", enable_lsm); + +/* Explicitly disable a list of LSMs. */ +static int __init disable_lsm(char *str) +{ + chosen_lsm_disable = str; + return 1; +} +__setup("lsm.disable=", disable_lsm); + static bool match_last_lsm(const char *list, const char *lsm) { const char *last; From patchwork Tue Oct 2 00:54:52 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622971 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 71B5D16B1 for ; Tue, 2 Oct 2018 01:05:37 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5D47D286C0 for ; Tue, 2 Oct 2018 01:05:37 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 51CD6286D5; Tue, 2 Oct 2018 01:05:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D7BCF286C0 for ; Tue, 2 Oct 2018 01:05:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726484AbeJBHo7 (ORCPT ); Tue, 2 Oct 2018 03:44:59 -0400 Received: from mail-it1-f194.google.com ([209.85.166.194]:54947 "EHLO mail-it1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726396AbeJBHo6 (ORCPT ); Tue, 2 Oct 2018 03:44:58 -0400 Received: by mail-it1-f194.google.com with SMTP id l191-v6so1002258ita.4 for ; Mon, 01 Oct 2018 18:04:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=TJOVK3ymMMejAlxuU1TJP5KKpaIPAoNY/QahRvn63YY=; b=ZsdqSfIGNbNUhHM6zlEaEFFGv3nj9drdpPB8Mt1PGYPbL5KYZehXxoK0eHNYVMlgCj PRw+u2Za+yMrjJl3ijH/HKyhpg2I+2BE4hgpH37xW+/KtJmpxNFkHfjL9bUJsIBuULlU XXk7yIxOOtA/BOYUntvSB7WzxvAXl/UwE9l08= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=TJOVK3ymMMejAlxuU1TJP5KKpaIPAoNY/QahRvn63YY=; b=Q5wfb0BiS8iv+9+7/Sm+MkhYARlnTps2G9rPpLA+cuvUsk/6nKtmd52NFsoFtb93eT jc77JoP2JEQq3Q+laISqV5wTHcwNunoAz6IzKaCheyBEKaaR42ru2YTMsUhuf6FQwRXP kn9c91aZrJl67qK/Re5OScLu5a5Y3ckKUuiWx0axmmuGiRQWPJsjE0+tjoXjUQALgsqR 6MnzIFHJm5zo4Dh8zta53afs+1oKJHZU5FdMU2O8+gWFs7rLFg7QIiyexMEk44J/arw8 8cqwi6zWoDnMEvgFkHqEmIg0x20x9HcPulKmKO1nwU4TQpmqPoBnK23sizGmykgZn5YQ 0xnQ== X-Gm-Message-State: ABuFfoiRS+2Ai7rOLKbwscvZv9mCMrZ7LPSC4zxUKxbgnIi+zGtlu8GE dpEFVui+uRzkvKm2uM5qwAdYYA== X-Google-Smtp-Source: ACcGV63wWN6vR8b5T4rL69Rt1lzONxTKJR/V7oSgbKmWlib7Vgd4hI6QxRLbvZiBWyuQkP+JNnx3bg== X-Received: by 2002:a63:6ce:: with SMTP id 197-v6mr12170408pgg.338.1538442266621; Mon, 01 Oct 2018 18:04:26 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id a79-v6sm22262669pfa.124.2018.10.01.18.04.23 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 18:04:24 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 19/32] LSM: Prepare for reorganizing "security=" logic Date: Mon, 1 Oct 2018 17:54:52 -0700 Message-Id: <20181002005505.6112-20-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This moves the string handling for "security=" boot parameter into a stored pointer instead of a string duplicate. This will allow easier handling of the string when switching logic to use the coming enable/disable infrastructure. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: John Johansen --- security/security.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/security/security.c b/security/security.c index 3fff2d1d1ec4..455ba2767965 100644 --- a/security/security.c +++ b/security/security.c @@ -34,18 +34,14 @@ #define MAX_LSM_EVM_XATTR 2 -/* Maximum number of letters for an LSM name string */ -#define SECURITY_NAME_MAX 10 - struct security_hook_heads security_hook_heads __lsm_ro_after_init; static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain); char *lsm_names; /* Boot-time LSM user choice */ -static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = - CONFIG_DEFAULT_SECURITY; static __initdata const char *chosen_lsm_enable; static __initdata const char *chosen_lsm_disable; +static __initdata const char *chosen_major_lsm; static __initconst const char * const builtin_lsm_enable = CONFIG_LSM_ENABLE; @@ -112,7 +108,7 @@ static bool __init lsm_allowed(struct lsm_info *lsm) return true; /* Disabled if this LSM isn't the chosen one. */ - if (strcmp(lsm->name, chosen_lsm) != 0) + if (strcmp(lsm->name, chosen_major_lsm) != 0) return false; return true; @@ -191,6 +187,9 @@ static void __init prepare_lsm_enable(void) /* Process "lsm.enable=" and "lsm.disable=", if given. */ parse_lsm_enable(chosen_lsm_enable, set_enabled, true); parse_lsm_enable(chosen_lsm_disable, set_enabled, false); + + if (!chosen_major_lsm) + chosen_major_lsm = CONFIG_DEFAULT_SECURITY; } /** @@ -231,12 +230,12 @@ int __init security_init(void) } /* Save user chosen LSM */ -static int __init choose_lsm(char *str) +static int __init choose_major_lsm(char *str) { - strncpy(chosen_lsm, str, SECURITY_NAME_MAX); + chosen_major_lsm = str; return 1; } -__setup("security=", choose_lsm); +__setup("security=", choose_major_lsm); /* Enable LSM order debugging. */ static int __init enable_debug(char *str) From patchwork Tue Oct 2 00:54:53 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622965 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BC63616B1 for ; Tue, 2 Oct 2018 01:05:08 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A5378286D1 for ; Tue, 2 Oct 2018 01:05:08 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 96E3E286D4; Tue, 2 Oct 2018 01:05:08 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 397C2286D1 for ; Tue, 2 Oct 2018 01:05:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726373AbeJBHph (ORCPT ); Tue, 2 Oct 2018 03:45:37 -0400 Received: from mail-io1-f66.google.com ([209.85.166.66]:38489 "EHLO mail-io1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726897AbeJBHpE (ORCPT ); Tue, 2 Oct 2018 03:45:04 -0400 Received: by mail-io1-f66.google.com with SMTP id y3-v6so284716ioc.5 for ; Mon, 01 Oct 2018 18:04:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=0qW1uF7m4L1ZO2KeQqVjIZsOMVYw9XJu7Iz5ldDGsTM=; b=NDhrsbxuJpH8jCuXv4vA++uSz8lSj1sQmARm/JggoSeY5rzd+87LpdFJG6YVNE5JTC IuuqsE44RAfi7t/wqc2uh4MNhih7NpbPqGZRmhwOAB5T0RyMtBgOU7ui0H709C+WsAON wo4xmL7lr8nSw/gkCJpns1qLaabNLquiH0EM0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=0qW1uF7m4L1ZO2KeQqVjIZsOMVYw9XJu7Iz5ldDGsTM=; b=ES6Bcd1vD5Pxx9v9LFC9Ik8I8wJGEc25eYDZLc+J05X976ioI4RUzmhivgWjQBHlon Oyoauy/qN7TImqFYXO5ZG8CCc/NZeXvVw1RNywg+nH6J+bimagVdYZBaF9u5mYU1kfaf ADycRN4nh+H1kzsJKDSiZhEnfuBnTutM25EyeKz5kqubYRGJXMRHpqPQLhEYMhja3atT 8mLVsAlPktPOVIulsm6m855QJg0SyE1IxdnxxYzLJGKMzdgbzvsdgM4eGQQBe+acH3+R pZdZLttaXZnNdiK4CD2NEqM08OOxDX7+j/SwOC671qD/8YMiJfKYnh3aTDa1H8DymmaM rkLg== X-Gm-Message-State: ABuFfojT8cJgAh+czGo/IQ3d8KMmPTBp/Ijzb/xbtOMNtFbHlwPHeQmB 5Oy3d6/VtX8X+6VwWdlNHW05yQ== X-Google-Smtp-Source: ACcGV605gnobaiJmFA16xtbVu/9AcHEdLAn7xCklyTmVNdo6+1o9hZHdekNSMlFgBvkhB8xVoYqVcg== X-Received: by 2002:a17:902:b212:: with SMTP id t18-v6mr14398304plr.136.1538442273074; Mon, 01 Oct 2018 18:04:33 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id p3-v6sm19540885pfo.130.2018.10.01.18.04.27 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 18:04:29 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 20/32] LSM: Refactor "security=" in terms of enable/disable Date: Mon, 1 Oct 2018 17:54:53 -0700 Message-Id: <20181002005505.6112-21-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP For what are marked as the Legacy Major LSMs, make them effectively exclusive when selected on the "security=" boot parameter, to handle the future case of when a previously major LSMs become non-exclusive (e.g. when TOMOYO starts blob-sharing). Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler --- security/security.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/security/security.c b/security/security.c index 455ba2767965..d7132c181ea6 100644 --- a/security/security.c +++ b/security/security.c @@ -103,14 +103,6 @@ static bool __init lsm_allowed(struct lsm_info *lsm) if (!is_enabled(lsm)) return false; - /* Skip major-specific checks if not a major LSM. */ - if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) - return true; - - /* Disabled if this LSM isn't the chosen one. */ - if (strcmp(lsm->name, chosen_major_lsm) != 0) - return false; - return true; } @@ -188,8 +180,24 @@ static void __init prepare_lsm_enable(void) parse_lsm_enable(chosen_lsm_enable, set_enabled, true); parse_lsm_enable(chosen_lsm_disable, set_enabled, false); + /* Process "security=", if given. */ if (!chosen_major_lsm) chosen_major_lsm = CONFIG_DEFAULT_SECURITY; + if (chosen_major_lsm) { + struct lsm_info *lsm; + + /* + * To match the original "security=" behavior, this + * explicitly does NOT fallback to another Legacy Major + * if the selected one was separately disabled: disable + * all non-matching Legacy Major LSMs. + */ + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) && + strcmp(lsm->name, chosen_major_lsm) != 0) + set_enabled(lsm, false); + } + } } /** From patchwork Tue Oct 2 00:54:54 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622963 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7470616B1 for ; Tue, 2 Oct 2018 01:04:54 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5E7E4286D1 for ; Tue, 2 Oct 2018 01:04:54 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 511E6286D4; Tue, 2 Oct 2018 01:04:54 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C75C0286D1 for ; Tue, 2 Oct 2018 01:04:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726492AbeJBHpX (ORCPT ); Tue, 2 Oct 2018 03:45:23 -0400 Received: from mail-it1-f194.google.com ([209.85.166.194]:54966 "EHLO mail-it1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726970AbeJBHpG (ORCPT ); Tue, 2 Oct 2018 03:45:06 -0400 Received: by mail-it1-f194.google.com with SMTP id l191-v6so1002794ita.4 for ; Mon, 01 Oct 2018 18:04:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=uhboxPriZT52eGToQVEpgNPg17ea2OIRYF06FRnxbvc=; b=WlLCbrjeGA86NysbR871Ng18mT+zoovqQwuyvXD4J/5kvPFVdsI/P114q7pGJGEKaD mG8uO9Z+HQxxk5gkcFJyAK7S+kEbcW728lAA1Wkq9sDY7Lu6muzpjMyX51si31BEW2Dd 3UC1wMk+nXtWTGZXOGaIyBHPgd6Uw1JhViBYo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=uhboxPriZT52eGToQVEpgNPg17ea2OIRYF06FRnxbvc=; b=pCWtqaPgT4ChPvOwYvT5ss4YjWhYSf/ZZf53auPz5e66DLI6O0awMu+kyBDGcDD7qF G9xC9TuTUN0lleo3vOzn4Pk6GVqNIRBpLTgr97q2hdX7bY2mB/p5shMN2opSyG8w715s LNNup9FyeUKb0BrykW5D859rQIhAicvFMa8cVaJkN8mQR/TwuYqqWgQRIL+vEEF+rgfp 0Ogz+j7ukVMOQC96hOQCiLxZy31m/qHsUsHCQtE3KYXFjVUFqAG+n0UkUFrCMH4rKfxX 2P9Npl8KRPnZ1WG7kEmatI1DwXX6ClFwXfAgbM+pnH16tnlMyPM0VgxBry9G8E8l8a1z xLsg== X-Gm-Message-State: ABuFfojNE7/Va5jBn9PqBEa6iNNWuQjOhH21BQ31iQUREPeZd+nQmjYZ NLu0l0ZGQno03hoy1i9LNXxpZQ== X-Google-Smtp-Source: ACcGV60BdIhUIj8Dkw4LzSPjJ8N6E37NLhPrR/W5lmoJ9tp85nNOwNUXMd6+qkcmXRIK18j6syRenw== X-Received: by 2002:a63:8e43:: with SMTP id k64-v6mr12227313pge.75.1538442274810; Mon, 01 Oct 2018 18:04:34 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id r73-v6sm10100416pfk.157.2018.10.01.18.04.27 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 18:04:29 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 21/32] LSM: Finalize centralized LSM enabling logic Date: Mon, 1 Oct 2018 17:54:54 -0700 Message-Id: <20181002005505.6112-22-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Prior to this patch, default "enable" behavior was unchanged: SELinux and AppArmor were controlled separately from the centralized control defined by CONFIG_LSM_ENABLE and "lsm.enable=...". This changes the logic to give all control over to the central logic. Instead of allowing SELinux and AppArmor to override the central LSM enabling logic, by having separate CONFIG and boot parameters, this forces all "enable" variables to disabled, then enables any listed in the CONFIG_LSM_ENABLE and "lsm.enable=..." settings, and finally disables any listed in "lsm.disable=...". Signed-off-by: Kees Cook --- .../admin-guide/kernel-parameters.txt | 6 ++-- include/linux/lsm_hooks.h | 2 +- security/security.c | 32 +++++++------------ 3 files changed, 15 insertions(+), 25 deletions(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 67c90985d2b8..f646cfab5613 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2279,14 +2279,12 @@ lsm.disable=lsm1,...,lsmN [SECURITY] Comma-separated list of LSMs to disable at boot time. This overrides "lsm.enable=", - CONFIG_LSM_ENABLE, and any per-LSM CONFIGs and boot - parameters. + CONFIG_LSM_ENABLE. lsm.enable=lsm1,...,lsmN [SECURITY] Comma-separated list of LSMs to enable at boot time. This overrides any omissions from - CONFIG_LSM_ENABLE, and any per-LSM CONFIGs and - boot parameters. + CONFIG_LSM_ENABLE. machvec= [IA-64] Force the use of a particular machine-vector (machvec) in a generic kernel. diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index fd85637a1931..b026ea93ff01 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2044,7 +2044,7 @@ extern void security_add_hooks(struct security_hook_list *hooks, int count, struct lsm_info { const char *name; /* Required. */ unsigned long flags; /* Optional: flags describing LSM */ - int *enabled; /* Optional: NULL checks CONFIG_LSM_ENABLE */ + int *enabled; /* Optional: set based on CONFIG_LSM_ENABLE */ int (*init)(void); /* Required. */ }; diff --git a/security/security.c b/security/security.c index d7132c181ea6..40b9f508b856 100644 --- a/security/security.c +++ b/security/security.c @@ -63,27 +63,19 @@ static bool __init is_enabled(struct lsm_info *lsm) /* Mark an LSM's enabled flag, if it exists. */ static int lsm_enabled_true __initdata = 1; static int lsm_enabled_false __initdata = 0; - -static void __init default_enabled(struct lsm_info *lsm, bool enabled) +static void __init set_enabled(struct lsm_info *lsm, bool enabled) { - /* If storage location already set, skip this one. */ - if (lsm->enabled) - return; - /* * When an LSM hasn't configured an enable variable, we can use * a hard-coded location for storing the default enabled state. */ - if (enabled) - lsm->enabled = &lsm_enabled_true; - else - lsm->enabled = &lsm_enabled_false; -} - -static void __init set_enabled(struct lsm_info *lsm, bool enabled) -{ - if (WARN_ON(!lsm->enabled)) + if (!lsm->enabled) { + if (enabled) + lsm->enabled = &lsm_enabled_true; + else + lsm->enabled = &lsm_enabled_false; return; + } if (lsm->enabled == &lsm_enabled_true) { if (!enabled) @@ -149,7 +141,6 @@ static void __init major_lsm_init(void) } static void __init parse_lsm_enable(const char *str, - void (*set)(struct lsm_info *, bool), bool enabled) { char *sep, *name, *next; @@ -165,7 +156,7 @@ static void __init parse_lsm_enable(const char *str, for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { if (strcmp(name, "all") == 0 || strcmp(name, lsm->name) == 0) - set(lsm, enabled); + set_enabled(lsm, enabled); } } kfree(sep); @@ -174,11 +165,12 @@ static void __init parse_lsm_enable(const char *str, static void __init prepare_lsm_enable(void) { /* Prepare defaults. */ - parse_lsm_enable(builtin_lsm_enable, default_enabled, true); + parse_lsm_enable("all", false); + parse_lsm_enable(builtin_lsm_enable, true); /* Process "lsm.enable=" and "lsm.disable=", if given. */ - parse_lsm_enable(chosen_lsm_enable, set_enabled, true); - parse_lsm_enable(chosen_lsm_disable, set_enabled, false); + parse_lsm_enable(chosen_lsm_enable, true); + parse_lsm_enable(chosen_lsm_disable, false); /* Process "security=", if given. */ if (!chosen_major_lsm) From patchwork Tue Oct 2 00:54:55 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622967 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 36C00174A for ; Tue, 2 Oct 2018 01:05:21 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 22AE1286D1 for ; Tue, 2 Oct 2018 01:05:21 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 16769286D4; Tue, 2 Oct 2018 01:05:21 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A2E78286D1 for ; Tue, 2 Oct 2018 01:05:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726642AbeJBHpu (ORCPT ); Tue, 2 Oct 2018 03:45:50 -0400 Received: from mail-io1-f68.google.com ([209.85.166.68]:44611 "EHLO mail-io1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726850AbeJBHpC (ORCPT ); Tue, 2 Oct 2018 03:45:02 -0400 Received: by mail-io1-f68.google.com with SMTP id x26-v6so263435iog.11 for ; Mon, 01 Oct 2018 18:04:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=9HNh3Q4VSJQ5w/3yyHsrKc9aYEok0he5oMNhPVupBp4=; b=Lh2KYIUDEd873+dDWgH/cRt/83/GRJbzYnB+K7WwzMFcXv9oqBIRx1erTG1iww0Qcs TdP6+oIvl5oYuf4q6zNuKng8aGp03W6hekBu71VCaPIpvOdQZwy9HZN9cz9LvUICACRs baq7BtEIffeKPzNXwFBAjzEO5c+UoDEbP9KTQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=9HNh3Q4VSJQ5w/3yyHsrKc9aYEok0he5oMNhPVupBp4=; b=H0pdmkULoZb+uiOdwaPfFK+mUaHOQHlDoq5VLnqgpNGs07X5LB5LdnpXczWJr5bedL XWXfAueE1u8/hvFDOAZmSuQ6jrQgbZoYw4t9IQgnxsJgnaQo7WwKiyE5N/eIKZpNB7H5 2h++5qYgUwl8YeZLEd3b6JTPbfOFA34PZ4SFFQ4LHK0Asi9kynwhx/MnoVLvV73IGCoy H/AeLOdc2308XRdknGoQYzRctNivMqMAqQzn1W0k9872jfgWQdFBC3xsXws8O4+aESDH xOS1C8jiW/W881FVqeHv92SLX7xcTtR1fXhLzcFj3BpSdq2vN/1s/FzZVyDu6ZcltHEy BkpA== X-Gm-Message-State: ABuFfogWipRKnb1KUaskmkTfzTIqWMQCyunVh2h4ek8pYceyBf2dMjEV r3tC0ZSUpBMSEuiPe9Ka4sc4Vg== X-Google-Smtp-Source: ACcGV61p+6jux778ZBLbYvLQR8FnTRc24YhLc4vSgLatG/TNAzLVvla8MMwQU8ljRvMGsZAFhu2JBw== X-Received: by 2002:a17:902:f01:: with SMTP id 1-v6mr14341449ply.8.1538442271325; Mon, 01 Oct 2018 18:04:31 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id h132-v6sm22420511pfc.100.2018.10.01.18.04.27 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 18:04:29 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 22/32] apparmor: Remove boot parameter Date: Mon, 1 Oct 2018 17:54:55 -0700 Message-Id: <20181002005505.6112-23-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Since LSM enabling is now centralized with CONFIG_LSM_ENABLE and "lsm.enable=...", this removes the LSM-specific enabling logic from AppArmor, though it leaves the existing userspace API visibility into /sys/module/apparmor/parameters/enabled. Co-developed-by: John Johansen Signed-off-by: Kees Cook --- Documentation/admin-guide/kernel-parameters.txt | 7 ------- security/apparmor/Kconfig | 16 ---------------- security/apparmor/lsm.c | 7 ++----- 3 files changed, 2 insertions(+), 28 deletions(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index f646cfab5613..cf963febebb0 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -4054,13 +4054,6 @@ If enabled at boot time, /selinux/disable can be used later to disable prior to initial policy load. - apparmor= [APPARMOR] Disable or enable AppArmor at boot time - Format: { "0" | "1" } - See security/apparmor/Kconfig help text - 0 -- disable. - 1 -- enable. - Default value is set via kernel config option. - serialnumber [BUGS=X86-32] shapers= [NET] diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig index b6b68a7750ce..3de21f46c82a 100644 --- a/security/apparmor/Kconfig +++ b/security/apparmor/Kconfig @@ -14,22 +14,6 @@ config SECURITY_APPARMOR If you are unsure how to answer this question, answer N. -config SECURITY_APPARMOR_BOOTPARAM_VALUE - int "AppArmor boot parameter default value" - depends on SECURITY_APPARMOR - range 0 1 - default 1 - help - This option sets the default value for the kernel parameter - 'apparmor', which allows AppArmor to be enabled or disabled - at boot. If this option is set to 0 (zero), the AppArmor - kernel parameter will default to 0, disabling AppArmor at - boot. If this option is set to 1 (one), the AppArmor - kernel parameter will default to 1, enabling AppArmor at - boot. - - If you are unsure how to answer this question, answer 1. - config SECURITY_APPARMOR_HASH bool "Enable introspection of sha1 hashes for loaded profiles" depends on SECURITY_APPARMOR diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index bc56b058dc75..4cd96a66ed6f 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1303,15 +1303,12 @@ bool aa_g_paranoid_load = true; module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO); /* Boot time disable flag */ -static int apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE; +static int apparmor_enabled __lsm_ro_after_init; module_param_named(enabled, apparmor_enabled, int, 0444); static int __init apparmor_enabled_setup(char *str) { - unsigned long enabled; - int error = kstrtoul(str, 0, &enabled); - if (!error) - apparmor_enabled = enabled ? 1 : 0; + pr_err("Boot param 'apparmor=' ignored. Use 'lsm.disable=apparmor'\n"); return 1; } From patchwork Tue Oct 2 00:54:56 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622955 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id CD04D16B1 for ; Tue, 2 Oct 2018 01:04:35 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B6A0E286D1 for ; Tue, 2 Oct 2018 01:04:35 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id AAB3C286D4; Tue, 2 Oct 2018 01:04:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 44577286D1 for ; Tue, 2 Oct 2018 01:04:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726946AbeJBHpE (ORCPT ); Tue, 2 Oct 2018 03:45:04 -0400 Received: from mail-io1-f68.google.com ([209.85.166.68]:39496 "EHLO mail-io1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726871AbeJBHpE (ORCPT ); Tue, 2 Oct 2018 03:45:04 -0400 Received: by mail-io1-f68.google.com with SMTP id z16-v6so284766iol.6 for ; Mon, 01 Oct 2018 18:04:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=W/qQzlLdHC3pOVrMYLSbt8GYIcGt6njlsLirLySrxEA=; b=Y7Tdip1y9DwjAKK6x8Y+GHfJCWkEXS3Aw7euEhxbEiDtK6KfdYnw6gwb5IT16cRlOR ISlTHU748v3IdC/VJdzbHQA5J6rxccFfp3yCZ3J/6w9GJXQ+hCK5ws2b0T6qoXssy4wc EjM77V+6IofPdUj3X/Gebf/zpXt/ZCfP0VSY8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=W/qQzlLdHC3pOVrMYLSbt8GYIcGt6njlsLirLySrxEA=; b=hiWGpHJtk6yQSSetWPGKItSA+sV9JyuDE1MLN/t2iTZC4i7niTXR6pPxk0Pb7Iz5+I acflQfNwbL48E81Xm7UXRS6EhL1f3akJ3PIZU6zQ+DXW9MkJjBRFe/C2+Hx5R49udsuL n1/K8HR4ncAzk91btWGuy1lNDcf19QFuFPq9/GmKWZUajFX+HZzd/Ju5xt2C/MIygG52 xgjExXYlDU6v49K90jDAObauqdI+SbFLD/BH6hIjgCA7uO3yUCZiBeRh3dsX3CrzBUCO 8zuz8SbUWDIlmqUEAJHT5C2lA4oScKGgP4DtMch4vVrekEWmoSGPAYB3pCOrdoobxrsX 8hnQ== X-Gm-Message-State: ABuFfogGXsmFhZKlB6TGlmNrtGwabjmcFHy07MDgJOcSq9GsRGOBBMAL jPPjSFEbPHS/6S2u4Q+LfgdicA== X-Google-Smtp-Source: ACcGV63Cykas03Y9txiaHpl+hTXVURFzAvX/91GaddzbP8yzCAh5DVaH6ZWfP7OiVOI6H7XcoIdJ1w== X-Received: by 2002:a17:902:d90e:: with SMTP id c14-v6mr8773333plz.61.1538442272202; Mon, 01 Oct 2018 18:04:32 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id h77-v6sm18554060pfh.13.2018.10.01.18.04.26 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 18:04:29 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 23/32] selinux: Remove boot parameter Date: Mon, 1 Oct 2018 17:54:56 -0700 Message-Id: <20181002005505.6112-24-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Since LSM enabling is now centralized with CONFIG_LSM_ENABLE and "lsm.enable=...", this removes the LSM-specific enabling logic from SELinux. Signed-off-by: Kees Cook --- .../admin-guide/kernel-parameters.txt | 9 ------ security/selinux/Kconfig | 29 ------------------- security/selinux/hooks.c | 15 +--------- 3 files changed, 1 insertion(+), 52 deletions(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index cf963febebb0..0d10ab3d020e 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -4045,15 +4045,6 @@ loaded. An invalid security module name will be treated as if no module has been chosen. - selinux= [SELINUX] Disable or enable SELinux at boot time. - Format: { "0" | "1" } - See security/selinux/Kconfig help text. - 0 -- disable. - 1 -- enable. - Default value is set via kernel config option. - If enabled at boot time, /selinux/disable can be used - later to disable prior to initial policy load. - serialnumber [BUGS=X86-32] shapers= [NET] diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index 8af7a690eb40..86936528a0bb 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -8,35 +8,6 @@ config SECURITY_SELINUX You will also need a policy configuration and a labeled filesystem. If you are unsure how to answer this question, answer N. -config SECURITY_SELINUX_BOOTPARAM - bool "NSA SELinux boot parameter" - depends on SECURITY_SELINUX - default n - help - This option adds a kernel parameter 'selinux', which allows SELinux - to be disabled at boot. If this option is selected, SELinux - functionality can be disabled with selinux=0 on the kernel - command line. The purpose of this option is to allow a single - kernel image to be distributed with SELinux built in, but not - necessarily enabled. - - If you are unsure how to answer this question, answer N. - -config SECURITY_SELINUX_BOOTPARAM_VALUE - int "NSA SELinux boot parameter default value" - depends on SECURITY_SELINUX_BOOTPARAM - range 0 1 - default 1 - help - This option sets the default value for the kernel parameter - 'selinux', which allows SELinux to be disabled at boot. If this - option is set to 0 (zero), the SELinux kernel parameter will - default to 0, disabling SELinux at bootup. If this option is - set to 1 (one), the SELinux kernel parameter will default to 1, - enabling SELinux at bootup. - - If you are unsure how to answer this question, answer 1. - config SECURITY_SELINUX_DISABLE bool "NSA SELinux runtime disable" depends on SECURITY_SELINUX diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 71a10fedecb3..8f5eea097612 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -120,20 +120,7 @@ __setup("enforcing=", enforcing_setup); #define selinux_enforcing_boot 1 #endif -#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM -int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; - -static int __init selinux_enabled_setup(char *str) -{ - unsigned long enabled; - if (!kstrtoul(str, 0, &enabled)) - selinux_enabled = enabled ? 1 : 0; - return 1; -} -__setup("selinux=", selinux_enabled_setup); -#else -int selinux_enabled = 1; -#endif +int selinux_enabled __lsm_ro_after_init; static unsigned int selinux_checkreqprot_boot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; From patchwork Tue Oct 2 00:54:57 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622969 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C4F6B17E0 for ; Tue, 2 Oct 2018 01:05:21 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B0106286D1 for ; Tue, 2 Oct 2018 01:05:21 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A4636286D4; Tue, 2 Oct 2018 01:05:21 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3D129286D1 for ; Tue, 2 Oct 2018 01:05:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726867AbeJBHpC (ORCPT ); Tue, 2 Oct 2018 03:45:02 -0400 Received: from mail-io1-f67.google.com ([209.85.166.67]:43648 "EHLO mail-io1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726739AbeJBHpC (ORCPT ); Tue, 2 Oct 2018 03:45:02 -0400 Received: by mail-io1-f67.google.com with SMTP id y10-v6so267792ioa.10 for ; Mon, 01 Oct 2018 18:04:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=tdMBnB2oAyq5XzINlGSax4GXFXs6dLBDH2RuSJZ1iHg=; b=IOAwpEyeuW78PoA8zSabfO2pe5gJEOcExGs6YDEGSsb+E+cYIaEi8V1I7W21NpeLLS kfuJY9NxrlrpcFJaF5KCnK2lCxVouqOkRQQhjuQmY/k+VJYkUIi6PWfv3GpUl2T/xGaw 3WYc6QHfn1TuSiUZh0RHYl+a+WeN0+YglsyMI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=tdMBnB2oAyq5XzINlGSax4GXFXs6dLBDH2RuSJZ1iHg=; b=NKIycxMAKDSOoXvpn1Q3ZIck/b3HYeA61ZZQp4NKsIF53G3yU42BfhcWtFAKVTlIIA lIRBmXTQ6YrVYFTE83p78mwwJJwk01YTHLzjozZcED+ot3C0WxkhgobsxEixZccwG0Vk dyztikQVL7mF10vJ6COsla2T6E1AUv2JiLq49hr1t6cquL+RgXD9OikCZaVOqap4LSRs rKFOH7rDvLfRuube13ePyY1B2OcA3jxtdGTERUT08dmmRw6oovGwnKA+mZb8q/sSvkjp cvTojeAJXrAT7nzgmD5P4w4uHye6JuLKudonGL09yo302+r//nz7k+LiwZYCqgUGaZoP 2amA== X-Gm-Message-State: ABuFfoiRYG3GHMq4P+6fRceoxZwBHaCH/slqMuTA22mLDALDHPAAD/u+ 2Bl5MSjbG3MLMzqCj4ov5hjZlQ== X-Google-Smtp-Source: ACcGV63IIML1SgotQIHfAm7hKprmP/+QrH6PQR8V0LW/QO8jWfgw67tGPCiOeRPEcwnie+lLag5GWw== X-Received: by 2002:a17:902:246a:: with SMTP id m39-v6mr14011703plg.57.1538442270389; Mon, 01 Oct 2018 18:04:30 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id e190-v6sm23693127pfc.81.2018.10.01.18.04.26 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 18:04:29 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 24/32] LSM: Build ordered list of ordered LSMs for init Date: Mon, 1 Oct 2018 17:54:57 -0700 Message-Id: <20181002005505.6112-25-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This constructs a list of ordered LSMs to initialize, using a hard-coded list of only "integrity": minor LSMs continue to have direct hook calls, and major LSMs continue to initialize separately. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler --- security/security.c | 59 +++++++++++++++++++++++++++++++++++++++------ 1 file changed, 52 insertions(+), 7 deletions(-) diff --git a/security/security.c b/security/security.c index 40b9f508b856..8706b42b4d44 100644 --- a/security/security.c +++ b/security/security.c @@ -34,6 +34,9 @@ #define MAX_LSM_EVM_XATTR 2 +/* How many LSMs were built into the kernel? */ +#define LSM_COUNT (__end_lsm_info - __start_lsm_info) + struct security_hook_heads security_hook_heads __lsm_ro_after_init; static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain); @@ -45,6 +48,9 @@ static __initdata const char *chosen_major_lsm; static __initconst const char * const builtin_lsm_enable = CONFIG_LSM_ENABLE; +/* Ordered list of LSMs to initialize. */ +static __initdata struct lsm_info **ordered_lsms; + static __initdata bool debug; #define init_debug(...) \ do { \ @@ -88,6 +94,45 @@ static void __init set_enabled(struct lsm_info *lsm, bool enabled) } } +/* Is an LSM already listed in the ordered LSMs list? */ +static bool __init exists_ordered_lsm(struct lsm_info *lsm) +{ + struct lsm_info **check; + + for (check = ordered_lsms; *check; check++) + if (*check == lsm) + return true; + + return false; +} + +/* Append an LSM to the list of ordered LSMs to initialize. */ +static int last_lsm __initdata; +static void __init append_ordered_lsm(struct lsm_info *lsm, const char *from) +{ + /* Ignore duplicate selections. */ + if (exists_ordered_lsm(lsm)) + return; + + if (WARN(last_lsm == LSM_COUNT, "%s: out of LSM slots!?\n", from)) + return; + + ordered_lsms[last_lsm++] = lsm; + init_debug("%s ordering: %s (%sabled)\n", from, lsm->name, + is_enabled(lsm) ? "en" : "dis"); +} + +/* Populate ordered LSMs list from hard-coded list of LSMs. */ +static void __init prepare_lsm_order(void) +{ + struct lsm_info *lsm; + + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + if (strcmp(lsm->name, "integrity") == 0) + append_ordered_lsm(lsm, "builtin"); + } +} + /* Is an LSM allowed to be initialized? */ static bool __init lsm_allowed(struct lsm_info *lsm) { @@ -118,14 +163,10 @@ static void __init maybe_initialize_lsm(struct lsm_info *lsm) static void __init ordered_lsm_init(void) { - struct lsm_info *lsm; - - for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { - if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) != 0) - continue; + struct lsm_info **lsm; - maybe_initialize_lsm(lsm); - } + for (lsm = ordered_lsms; *lsm; lsm++) + maybe_initialize_lsm(*lsm); } static void __init major_lsm_init(void) @@ -207,6 +248,8 @@ int __init security_init(void) for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct hlist_head); i++) INIT_HLIST_HEAD(&list[i]); + ordered_lsms = kcalloc(LSM_COUNT + 1, sizeof(*ordered_lsms), + GFP_KERNEL); /* Figure out which LSMs are enabled and disabled. */ prepare_lsm_enable(); @@ -219,6 +262,7 @@ int __init security_init(void) loadpin_add_hooks(); /* Load LSMs in specified order. */ + prepare_lsm_order(); ordered_lsm_init(); /* @@ -226,6 +270,7 @@ int __init security_init(void) */ major_lsm_init(); + kfree(ordered_lsms); return 0; } From patchwork Tue Oct 2 00:54:58 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622961 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A5A6F17E0 for ; Tue, 2 Oct 2018 01:04:50 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8EDB7286D3 for ; Tue, 2 Oct 2018 01:04:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 82A44286D6; Tue, 2 Oct 2018 01:04:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1CA33286D3 for ; Tue, 2 Oct 2018 01:04:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727034AbeJBHpT (ORCPT ); Tue, 2 Oct 2018 03:45:19 -0400 Received: from mail-io1-f68.google.com ([209.85.166.68]:45461 "EHLO mail-io1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727068AbeJBHpI (ORCPT ); Tue, 2 Oct 2018 03:45:08 -0400 Received: by mail-io1-f68.google.com with SMTP id e12-v6so262152iok.12 for ; Mon, 01 Oct 2018 18:04:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=pq4ACjGaPlM3h3UYEHG6fyOCzAt325XuBayF3KFtHqs=; b=SzKobk9CWHgW0EjDQXpy5PM5QZ3lzRGlKyIOumCKOBfw36q+fvtBUq+NVX6EB408KK jkNAXDs5T/9+DbK8+FTehptO3P/TR2yTBQPWOeqyFtrVUk6ud/QmbGt56BDUGrSthTps kj5B3jrPoUo8KtnNxt02PY2FOyHzKtnaUUAR4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=pq4ACjGaPlM3h3UYEHG6fyOCzAt325XuBayF3KFtHqs=; b=KsgQ6t9OdW9MLTWxP9QAMc8ugJq1vZQAuBcEDB3LwW4Y7bVZN06Zus2nqjeMUZcaV+ dfvXl4L6N3jA/dEwN7D6f/vBwWgDncHChji2NrOcUyIbxOyIWq9ZHxHgpvgO9IyXzEZL TFs/mMxrUUGpUPCbXOe6cbCZKD8fE1+BWrfQ+Z1sOOhsQvn3nuTNY4ojtkY0c9KL8ONT LOTr4FJRehxQG6DshATQADHHX5RaIu2GZrUtArfuHXX5gV2c+ZpFe0ABvBQQbNrGWp/2 aRSPBE0k5osu5WGjJMrvt/F62217aDYK8wInb0AhScDkYog/WQRt6prHINaI0X4HLSAD Xewg== X-Gm-Message-State: ABuFfoj2tlHJrC3NpERiQ4sBKeyRezyFjHB8O5FlK8iCEUxM2asy7hEX mzkoIPz1FQ6MiDh20vqvkAz0Ng== X-Google-Smtp-Source: ACcGV60csJm88HLa23FTU1Xhybq/VG+zyuJY0dZP11rGjItd9KnUQxv91OPn5PDDSYFWZIaE040tvQ== X-Received: by 2002:a62:20d8:: with SMTP id m85-v6mr13963277pfj.152.1538442276863; Mon, 01 Oct 2018 18:04:36 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id n79-v6sm28498659pfk.19.2018.10.01.18.04.29 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 18:04:35 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 25/32] LSM: Introduce CONFIG_LSM_ORDER Date: Mon, 1 Oct 2018 17:54:58 -0700 Message-Id: <20181002005505.6112-26-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This provides a way to declare LSM initialization order via Kconfig. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler --- security/Kconfig | 16 ++++++++++++++++ security/security.c | 40 +++++++++++++++++++++++++++++++++++++--- 2 files changed, 53 insertions(+), 3 deletions(-) diff --git a/security/Kconfig b/security/Kconfig index 1e57619fd561..c68520d97fd7 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -286,5 +286,21 @@ config LSM_ENABLE changed with the "lsm.enable=" and "lsm.disable=" boot parameters. + Note that any enabled exclusive LSM modules will be initialized + based on LSM ordering, automatically disabling any following + exclusive LSMs. See CONFIG_LSM_ORDER for more details on + changing LSM initialization order. + +config LSM_ORDER + string "Default initialization order of builtin LSMs" + default "integrity" + help + A comma-separated list of LSMs, in initialization order. + Any LSMs left off this list will be link-order initialized + after any listed LSMs. Any LSMs listed here but not built in + the kernel will be ignored. + + If unsure, leave this as the default. + endmenu diff --git a/security/security.c b/security/security.c index 8706b42b4d44..0510bb8e0af0 100644 --- a/security/security.c +++ b/security/security.c @@ -47,6 +47,7 @@ static __initdata const char *chosen_lsm_disable; static __initdata const char *chosen_major_lsm; static __initconst const char * const builtin_lsm_enable = CONFIG_LSM_ENABLE; +static __initconst const char * const builtin_lsm_order = CONFIG_LSM_ORDER; /* Ordered list of LSMs to initialize. */ static __initdata struct lsm_info **ordered_lsms; @@ -122,14 +123,47 @@ static void __init append_ordered_lsm(struct lsm_info *lsm, const char *from) is_enabled(lsm) ? "en" : "dis"); } -/* Populate ordered LSMs list from hard-coded list of LSMs. */ +/* Populate ordered LSMs list from given string. */ +static void __init parse_lsm_order(const char *order, const char *origin) +{ + struct lsm_info *lsm; + char *sep, *name, *next; + + if (!order) + return; + + sep = kstrdup(order, GFP_KERNEL); + next = sep; + /* Walk the list, looking for matching LSMs. */ + while ((name = strsep(&next, ",")) != NULL) { + bool found = false; + + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0 && + strcmp(lsm->name, name) == 0) { + append_ordered_lsm(lsm, origin); + found = true; + } + } + + if (!found) + init_debug("%s ignored: %s\n", origin, name); + } + kfree(sep); +} + +/* Populate ordered LSMs list from builtin list of LSMs. */ static void __init prepare_lsm_order(void) { struct lsm_info *lsm; + /* Parse order from builtin list. */ + parse_lsm_order(builtin_lsm_order, "builtin"); + + /* Add any missing LSMs, in link order. */ for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { - if (strcmp(lsm->name, "integrity") == 0) - append_ordered_lsm(lsm, "builtin"); + if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) + append_ordered_lsm(lsm, "link-time"); } } From patchwork Tue Oct 2 00:54:59 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622907 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 15D4F175A for ; Tue, 2 Oct 2018 00:55:41 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F045A28684 for ; Tue, 2 Oct 2018 00:55:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E495A286C2; Tue, 2 Oct 2018 00:55:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 87EF7286C5 for ; Tue, 2 Oct 2018 00:55:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727273AbeJBHf5 (ORCPT ); Tue, 2 Oct 2018 03:35:57 -0400 Received: from mail-io1-f65.google.com ([209.85.166.65]:39102 "EHLO mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727240AbeJBHfy (ORCPT ); Tue, 2 Oct 2018 03:35:54 -0400 Received: by mail-io1-f65.google.com with SMTP id z16-v6so254169iol.6 for ; Mon, 01 Oct 2018 17:55:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=K1XTJXjK49GiJvBFHIQ6HySNgoRQIO0gyRIiFVtrpKY=; b=YIt6FxHVK8PbWusfi7ridvtj3ywiiRjZ9k4mElJPd0mcdUi9swGjTyW6CaMK77W0Rr alkknzxtqujWc7chNfVSuyXGutmVEelQHRKcv0hSf0rQv5vAE785qqtUWOPdfYT3M9F9 KjPNoYoDVcMVOykeOslk0McbZvnE+Q/2dlt/8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=K1XTJXjK49GiJvBFHIQ6HySNgoRQIO0gyRIiFVtrpKY=; b=gUluI/GTl2qtnzrBe24WdeWRw67FEV5IkaGXQcVhpkoEVBMDCY5Q73uX4PwThNUCJH a9fe5mLQuUxiI3ijd1OioWn6iujmsKeEAgi96hLPyOuxd0eSQEpu5gXLOmcJt1dHDzwj mpFclpVHZ5nqrD4foC3T2ZL/73amQVHo1K1Gi4/XK8ECq37DszO75wjg/DXcMbv17rSD hwYLrv3joyOnBHxOO1HuX1CIf14MbSywzwydKRx5JAlhIpLUAIzXTu9FQUcCnhidilAe Pr5h2QSxjhWJ29zfYlid5b/q8WQ4ffI/sWrA6bwoOYYUnxAUiXKm00ljGEfj7ok03xfo Le2A== X-Gm-Message-State: ABuFfoh2kIwXpzwaAcc+i5Dnh2WMjilXE0mdVFESmadXpRUJFveXSmNl Mku2qJDtHPd2AwbR6A/K9JtHwg== X-Google-Smtp-Source: ACcGV609gSM2JpNc/Rt2M9UcwHkXUuitgqeqgvSyYHhJ+dWt6GRu/42fmQXhZa8KRJRC7Yv8QbNXHg== X-Received: by 2002:a17:902:29e3:: with SMTP id h90-v6mr14180190plb.215.1538441725371; Mon, 01 Oct 2018 17:55:25 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id d132-v6sm21379072pgc.93.2018.10.01.17.55.18 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 17:55:20 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 26/32] LSM: Introduce "lsm.order=" for boottime ordering Date: Mon, 1 Oct 2018 17:54:59 -0700 Message-Id: <20181002005505.6112-27-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Provide a way to reorder LSM initialization using the new "lsm.order=" comma-separated list of LSMs. Any LSMs not listed will be added in builtin order. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler --- Documentation/admin-guide/kernel-parameters.txt | 6 ++++++ security/security.c | 14 +++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 0d10ab3d020e..7e01b7a1e73d 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2286,6 +2286,12 @@ at boot time. This overrides any omissions from CONFIG_LSM_ENABLE. + lsm.order=lsm1,...,lsmN + [SECURITY] Choose order of enabled LSM + initialization. Any builtin LSMs not listed here + will be implicitly appended to the list in builtin + order. + machvec= [IA-64] Force the use of a particular machine-vector (machvec) in a generic kernel. Example: machvec=hpzx1_swiotlb diff --git a/security/security.c b/security/security.c index 0510bb8e0af0..6fafad44b85e 100644 --- a/security/security.c +++ b/security/security.c @@ -44,6 +44,7 @@ char *lsm_names; /* Boot-time LSM user choice */ static __initdata const char *chosen_lsm_enable; static __initdata const char *chosen_lsm_disable; +static __initdata const char *chosen_lsm_order; static __initdata const char *chosen_major_lsm; static __initconst const char * const builtin_lsm_enable = CONFIG_LSM_ENABLE; @@ -152,11 +153,14 @@ static void __init parse_lsm_order(const char *order, const char *origin) kfree(sep); } -/* Populate ordered LSMs list from builtin list of LSMs. */ +/* Populate ordered LSMs list from commandline and builtin list of LSMs. */ static void __init prepare_lsm_order(void) { struct lsm_info *lsm; + /* Parse order from commandline, if present. */ + parse_lsm_order(chosen_lsm_order, "cmdline"); + /* Parse order from builtin list. */ parse_lsm_order(builtin_lsm_order, "builtin"); @@ -316,6 +320,14 @@ static int __init choose_major_lsm(char *str) } __setup("security=", choose_major_lsm); +/* Explicitly choose LSM initialization order. */ +static int __init choose_lsm_order(char *str) +{ + chosen_lsm_order = str; + return 1; +} +__setup("lsm.order=", choose_lsm_order); + /* Enable LSM order debugging. */ static int __init enable_debug(char *str) { From patchwork Tue Oct 2 00:55:00 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622953 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5B4DA17E0 for ; Tue, 2 Oct 2018 01:04:33 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 47CC0286D1 for ; Tue, 2 Oct 2018 01:04:33 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3C5BB286D4; Tue, 2 Oct 2018 01:04:33 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D50FA286D3 for ; Tue, 2 Oct 2018 01:04:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726720AbeJBHpA (ORCPT ); Tue, 2 Oct 2018 03:45:00 -0400 Received: from mail-io1-f65.google.com ([209.85.166.65]:36968 "EHLO mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726748AbeJBHo7 (ORCPT ); Tue, 2 Oct 2018 03:44:59 -0400 Received: by mail-io1-f65.google.com with SMTP id v14-v6so289661iob.4 for ; Mon, 01 Oct 2018 18:04:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=zecK+fw6L8v037inPgSN/m/4Zxn4FHGN1MbaVrC22C0=; b=W4XLD4PX28zRTlyMQwG4WluelnyiVxKarxOnbZJW1Hg0XwVkYB8X9PNbLDnIv1ZQZS PGRhgL0bEly4K1QxvqWo7VCdxoZ9Yl1lw/i3A1TqKCWrTDcsXCbHbvrVq0NyjqU/AbkA RXkZxkvfWFkgpS9VQTzR5GYGPp89k3p4QoRzw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=zecK+fw6L8v037inPgSN/m/4Zxn4FHGN1MbaVrC22C0=; b=ckUFh2oPBqyAplFar1WENIwHdYTH7c/gLAg5WbWTGkmtzxod6Xx7QdF0DogpVx9sjm iG7iB2DDib8oI52LUbMCfA2olIHKf4zvuSMohNODlObnhYYamJ7hOxaenpESlbADYb5M z7gNVJ8ZIWyJLZyP6x7SLrjqYUYNJuQQM+iqcwv/DSlXB2fBI3Ot1KztadKN7IjSRqbP d+EjXaYRBiH6Kdl11M5iDEYV+ooBa17XpD9MMn9rAaBPxWFct8icw1G1D3/SWS3V4Lja cYMaUZyCWsHXWCUrpmbbvjF810yUKF4rvtHOD9KpOlz8snH3IUs+AB7yZBR1ZnVKiWpT ocJw== X-Gm-Message-State: ABuFfohmbYpCyiUss5tWJ/D46Z+zuOR0uK5Uvlvtu4I0m4booQYCc8Qd hC6hFPYc2oBPHQ3/t+N2D38CNg== X-Google-Smtp-Source: ACcGV60kxTP3I7VxZCr+tbEyh8BJQYWzHGqempdB2XI4Z4y+BPo8K449B8pZOOBCgPdNfsqn3uWyvg== X-Received: by 2002:a62:9c4a:: with SMTP id f71-v6mr8631527pfe.135.1538442268325; Mon, 01 Oct 2018 18:04:28 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id y19-v6sm27036514pff.14.2018.10.01.18.04.24 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 18:04:24 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 27/32] LoadPin: Initialize as ordered LSM Date: Mon, 1 Oct 2018 17:55:00 -0700 Message-Id: <20181002005505.6112-28-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This converts LoadPin from being a direct "minor" LSM into an ordered LSM. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler --- include/linux/lsm_hooks.h | 5 ----- security/Kconfig | 2 +- security/loadpin/loadpin.c | 8 +++++++- security/security.c | 1 - 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index b026ea93ff01..098ccf2caa0e 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2091,10 +2091,5 @@ extern void __init yama_add_hooks(void); #else static inline void __init yama_add_hooks(void) { } #endif -#ifdef CONFIG_SECURITY_LOADPIN -void __init loadpin_add_hooks(void); -#else -static inline void loadpin_add_hooks(void) { }; -#endif #endif /* ! __LINUX_LSM_HOOKS_H */ diff --git a/security/Kconfig b/security/Kconfig index c68520d97fd7..e59cb9296316 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -293,7 +293,7 @@ config LSM_ENABLE config LSM_ORDER string "Default initialization order of builtin LSMs" - default "integrity" + default "loadpin,integrity" help A comma-separated list of LSMs, in initialization order. Any LSMs left off this list will be link-order initialized diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c index d8a68a6f6fef..dab42bfa1e4a 100644 --- a/security/loadpin/loadpin.c +++ b/security/loadpin/loadpin.c @@ -184,13 +184,19 @@ static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(kernel_load_data, loadpin_load_data), }; -void __init loadpin_add_hooks(void) +static int __init loadpin_init(void) { pr_info("ready to pin (currently %senforcing)\n", enforcing ? "" : "not "); security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin"); + return 0; } +DEFINE_LSM(loadpin) = { + .name = "loadpin", + .init = loadpin_init, +}; + /* Should not be mutable after boot, so not listed in sysfs (perm == 0). */ module_param(enforcing, int, 0); MODULE_PARM_DESC(enforcing, "Enforce module/firmware pinning"); diff --git a/security/security.c b/security/security.c index 6fafad44b85e..6957f5f50483 100644 --- a/security/security.c +++ b/security/security.c @@ -297,7 +297,6 @@ int __init security_init(void) */ capability_add_hooks(); yama_add_hooks(); - loadpin_add_hooks(); /* Load LSMs in specified order. */ prepare_lsm_order(); From patchwork Tue Oct 2 00:55:01 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622959 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7FA51174A for ; Tue, 2 Oct 2018 01:04:50 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 676A1286D1 for ; Tue, 2 Oct 2018 01:04:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5C487286D6; Tue, 2 Oct 2018 01:04:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EE032286D1 for ; Tue, 2 Oct 2018 01:04:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727113AbeJBHpI (ORCPT ); Tue, 2 Oct 2018 03:45:08 -0400 Received: from mail-io1-f67.google.com ([209.85.166.67]:36691 "EHLO mail-io1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726991AbeJBHpH (ORCPT ); Tue, 2 Oct 2018 03:45:07 -0400 Received: by mail-io1-f67.google.com with SMTP id p4-v6so295491iom.3 for ; Mon, 01 Oct 2018 18:04:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=2PrWkBQw+7KkRjKU4t11PQdbbEVewWsM4UkLQzJpM9s=; b=djJNATBLK5z3FwGJIzUXfO8/Y8qnE+FM0+JLbKssnzbHrYKr7+A7aUTRjC5+WJyO/o 46QlkC9qA/1C/Z6Hl5gAetM6A6/U+mI3ekPs9G+sbFqsvQFubUbhaIpKJEO1kDmqaub1 sO2ESHy4N82d3uanV3/rwTJca9ADxT52XtbtQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=2PrWkBQw+7KkRjKU4t11PQdbbEVewWsM4UkLQzJpM9s=; b=uSGARf4YQTTKJJbf5Rhg8pKU9gH0mI8NBAYtzyGZN33Py8Ou/Ktm5Ukacx5W9iVrmt 6ySRY+PgNDeGDTw1u9WWHGRmp0Llk722FIjm+nV+RHj+KYc9RobwwELQpovLEgOb01Yx EgSbaGUzoyfaa7hY6HdmP/QasLlDcDqwQOFCvY1z1+MQGuA+fGKSNJGu/Wq9Ng+O8L5O YsJ1IR9sXu8DWR8ahzRXh97RX8WME5SOXPrdedyKINqSW6/G9RBPTxkfxwSFZfs4In3h N4UssrVTW/ynLjuVf+EIKYDOVfhRmO1KptRGZAGR2N2z4qZ6fA+dXiQCEyqWCMpYfLJE HeMA== X-Gm-Message-State: ABuFfoge3p4lp8SY3ZGAItt12tzI/JgLbpUcIRimGQVYe+DqdN7uvxip z0XejJDIEWUPT+6vIPl5rPVhBw== X-Google-Smtp-Source: ACcGV63bDwZzJJS3BKhoNCrEgeBXlTv77oyYZaw1nKc7t/drdZeqwt9FHKZQsuk8tDWLhjHZFLMN2Q== X-Received: by 2002:a62:c957:: with SMTP id k84-v6mr14049139pfg.205.1538442275676; Mon, 01 Oct 2018 18:04:35 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id h5-v6sm12219070pfo.135.2018.10.01.18.04.28 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 18:04:29 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 28/32] Yama: Initialize as ordered LSM Date: Mon, 1 Oct 2018 17:55:01 -0700 Message-Id: <20181002005505.6112-29-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This converts Yama from being a direct "minor" LSM into an ordered LSM. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler --- include/linux/lsm_hooks.h | 5 ----- security/Kconfig | 2 +- security/security.c | 1 - security/yama/yama_lsm.c | 8 +++++++- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 098ccf2caa0e..63a6caaee8e6 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2086,10 +2086,5 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, #endif /* CONFIG_SECURITY_WRITABLE_HOOKS */ extern void __init capability_add_hooks(void); -#ifdef CONFIG_SECURITY_YAMA -extern void __init yama_add_hooks(void); -#else -static inline void __init yama_add_hooks(void) { } -#endif #endif /* ! __LINUX_LSM_HOOKS_H */ diff --git a/security/Kconfig b/security/Kconfig index e59cb9296316..c459d2b4c7bd 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -293,7 +293,7 @@ config LSM_ENABLE config LSM_ORDER string "Default initialization order of builtin LSMs" - default "loadpin,integrity" + default "yama,loadpin,integrity" help A comma-separated list of LSMs, in initialization order. Any LSMs left off this list will be link-order initialized diff --git a/security/security.c b/security/security.c index 6957f5f50483..44c23d23158e 100644 --- a/security/security.c +++ b/security/security.c @@ -296,7 +296,6 @@ int __init security_init(void) * Load minor LSMs, with the capability module always first. */ capability_add_hooks(); - yama_add_hooks(); /* Load LSMs in specified order. */ prepare_lsm_order(); diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c index ffda91a4a1aa..eb1da1303d2e 100644 --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c @@ -477,9 +477,15 @@ static void __init yama_init_sysctl(void) static inline void yama_init_sysctl(void) { } #endif /* CONFIG_SYSCTL */ -void __init yama_add_hooks(void) +static int __init yama_init(void) { pr_info("Yama: becoming mindful.\n"); security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), "yama"); yama_init_sysctl(); + return 0; } + +DEFINE_LSM(yama) = { + .name = "yama", + .init = yama_init, +}; From patchwork Tue Oct 2 00:55:02 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622957 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A6D7916B1 for ; Tue, 2 Oct 2018 01:04:37 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 91FE9286D1 for ; Tue, 2 Oct 2018 01:04:37 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8614F286D4; Tue, 2 Oct 2018 01:04:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 26D38286D1 for ; Tue, 2 Oct 2018 01:04:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726976AbeJBHpF (ORCPT ); Tue, 2 Oct 2018 03:45:05 -0400 Received: from mail-it1-f193.google.com ([209.85.166.193]:32922 "EHLO mail-it1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726955AbeJBHpF (ORCPT ); Tue, 2 Oct 2018 03:45:05 -0400 Received: by mail-it1-f193.google.com with SMTP id h6-v6so7680448ith.0 for ; Mon, 01 Oct 2018 18:04:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=N6emET198pDiEm6Vd06hKtPFfJd7JvMik8xEi2V7KFs=; b=SV3VHMjmobqNp5GRVov5pkKZyWI6AY64iPse0eS4cnfn/VMAqhdoH/LkwTwoblVtVJ MtvqXBS1EGe2yoIEZ1k8Ga425P7CpJVh7zMiRi/2YgFEed91VEBUEl8E4lu0uxduZc6k 6Fo6pQyQa58xOWZJsPV+IX9wjRlnnuTSDL71E= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=N6emET198pDiEm6Vd06hKtPFfJd7JvMik8xEi2V7KFs=; b=GagSS6SipQTKBt5J8q4svx1VfXiKF3VMOAI24RjZMjA97V1gh8wHrQXaPzTFK2JbIE vAl9hdyd2zUc5je+lntWxeYDLkZmSPCiFYySmA4KDpyax2YoHwo24oQR6Nxk1eozY7Km YbeemJiefUHswpmRIN6f9FJXdcQ1dwrT/0afiGrrtU9HMbH/h3XPNEYqaYWSqr06OqOu osxA6XC1SgSEQTbkidUFqZtlTQC4hqlInTk7pZHThLBRCXFioMiZP5cVVeWAzg15SDdd W1M0Nbz2gzWrTBim4WS9ncRrOy7JJ7xu3cUSF0RwmrJivBXAp536Az5ps4YoLF42beGD OY+A== X-Gm-Message-State: ABuFfoim3NnOkDg67EcU5xRSK+xz1mkSjX9DCt6WF5WnVAz58oz1eMgN 0dmscebRkVfmG2g53o83X09tuQ== X-Google-Smtp-Source: ACcGV61tBdvqbTJs1/3KRT+jxW1fP3TEMHRIzvS7NuxvEGl9MOvzhramlGCUoZEt8l2l94zl44HwKQ== X-Received: by 2002:a63:c608:: with SMTP id w8-v6mr12440039pgg.16.1538442273937; Mon, 01 Oct 2018 18:04:33 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id w2-v6sm17058281pfk.140.2018.10.01.18.04.27 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 18:04:29 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 29/32] LSM: Introduce enum lsm_order Date: Mon, 1 Oct 2018 17:55:02 -0700 Message-Id: <20181002005505.6112-30-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP In preparation for distinguishing the "capability" LSM from other LSMs, it must be ordered first. This introduces LSM_ORDER_MUTABLE for the general LSMs, LSM_ORDER_FIRST for capabilities, and LSM_ORDER_LAST for anything that must run last (e.g. Landlock may use this in the future). Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler --- include/linux/lsm_hooks.h | 7 +++++++ security/security.c | 18 ++++++++++++++++-- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 63a6caaee8e6..62bc230826e0 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2041,8 +2041,15 @@ extern void security_add_hooks(struct security_hook_list *hooks, int count, #define LSM_FLAG_LEGACY_MAJOR BIT(0) +enum lsm_order { + LSM_ORDER_FIRST = -1, /* This is only for capabilities. */ + LSM_ORDER_MUTABLE = 0, + LSM_ORDER_LAST, +}; + struct lsm_info { const char *name; /* Required. */ + enum lsm_order order; /* Optional: default is LSM_ORDER_MUTABLE */ unsigned long flags; /* Optional: flags describing LSM */ int *enabled; /* Optional: set based on CONFIG_LSM_ENABLE */ int (*init)(void); /* Required. */ diff --git a/security/security.c b/security/security.c index 44c23d23158e..dac379518e60 100644 --- a/security/security.c +++ b/security/security.c @@ -140,7 +140,8 @@ static void __init parse_lsm_order(const char *order, const char *origin) bool found = false; for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { - if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0 && + if (lsm->order == LSM_ORDER_MUTABLE && + (lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0 && strcmp(lsm->name, name) == 0) { append_ordered_lsm(lsm, origin); found = true; @@ -158,6 +159,12 @@ static void __init prepare_lsm_order(void) { struct lsm_info *lsm; + /* LSM_ORDER_FIRST is always first. */ + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + if (lsm->order == LSM_ORDER_FIRST) + append_ordered_lsm(lsm, "first"); + } + /* Parse order from commandline, if present. */ parse_lsm_order(chosen_lsm_order, "cmdline"); @@ -166,9 +173,16 @@ static void __init prepare_lsm_order(void) /* Add any missing LSMs, in link order. */ for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { - if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) + if (lsm->order == LSM_ORDER_MUTABLE && + (lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) append_ordered_lsm(lsm, "link-time"); } + + /* LSM_ORDER_LAST is always last. */ + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + if (lsm->order == LSM_ORDER_LAST) + append_ordered_lsm(lsm, "last"); + } } /* Is an LSM allowed to be initialized? */ From patchwork Tue Oct 2 00:55:03 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622911 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B17BE175A for ; Tue, 2 Oct 2018 00:55:52 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9B42F28684 for ; Tue, 2 Oct 2018 00:55:52 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8BBA2286C4; Tue, 2 Oct 2018 00:55:52 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1C72E28684 for ; Tue, 2 Oct 2018 00:55:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727298AbeJBHf5 (ORCPT ); Tue, 2 Oct 2018 03:35:57 -0400 Received: from mail-io1-f67.google.com ([209.85.166.67]:41953 "EHLO mail-io1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727279AbeJBHf4 (ORCPT ); Tue, 2 Oct 2018 03:35:56 -0400 Received: by mail-io1-f67.google.com with SMTP id q4-v6so243889iob.8 for ; Mon, 01 Oct 2018 17:55:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Yrxg82tWglVpM0LzDO19gBRT76KQ+r+VtAnKxAjxaGw=; b=kzWFgJJmS3sGwMbhNznLZsOBUAz1QENcpGjEqbWWNbeSotA3wPZoRBriJAu0E9Hyfy +X0HBhlQ2CNggRnx1zBoH/78G01MXdVG4J8UKQlH91ta37YOPNNz1JgV8AyYbsFjOR0q smkmCDOOpY3agUDwWCVSy+RWt5tW5t/RCRXwg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Yrxg82tWglVpM0LzDO19gBRT76KQ+r+VtAnKxAjxaGw=; b=W5NuUi0OYNS18xnt9Q6qNG31dK8eWD4cIQzAIkutKWnrWVSBHvF58Dz0ct+rNUcHgU pUMhKWLWWEBUxPf0ENGSnZFRMbdYcIzR8sUOSkrxrWe4+1cGiYEltGE/yDGBT/fHKpad KYelPqE3o753cO2We/LrAPjc7mZg3rES+tm3jKxaA5OJBjNnQuBu1CXUM1q5M0sjTHJG Gkpp3oT35ZaLlrG+qpV3M5HQ2gfSzZJGiFfeBJSVGFwRbuQkwJ75A8uTuEO/h5D8mNJJ WPjk2R6TJsSy3AXHjmTqDs/4g0qIGaEw0kLuss/Z2GtbUdUvEEFlS1CMOXWekk+FD2MM KygA== X-Gm-Message-State: ABuFfojocj+86ZNNqxMnaGvaOwlJmPW+nlTIculWTtShpXz/G9nXk8B9 Wzt4LFjUrhzjaYJZyzV9zWxSeA== X-Google-Smtp-Source: ACcGV60tYDSsVxueUNUrEu7ICAtSzWhk018ow/vF8usOMRG78AX9/hf+xt8NurR8Hd9wvcO+EUwOSA== X-Received: by 2002:a17:902:bd4a:: with SMTP id b10-v6mr14346658plx.209.1538441727304; Mon, 01 Oct 2018 17:55:27 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id f29-v6sm28485128pff.29.2018.10.01.17.55.19 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 17:55:25 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 30/32] capability: Initialize as LSM_ORDER_FIRST Date: Mon, 1 Oct 2018 17:55:03 -0700 Message-Id: <20181002005505.6112-31-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This converts capabilities to use the new LSM_ORDER_FIRST position. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler --- include/linux/lsm_hooks.h | 2 -- security/commoncap.c | 9 ++++++++- security/security.c | 9 ++++----- 3 files changed, 12 insertions(+), 8 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 62bc230826e0..36e7a716fdfe 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2092,6 +2092,4 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, #define __lsm_ro_after_init __ro_after_init #endif /* CONFIG_SECURITY_WRITABLE_HOOKS */ -extern void __init capability_add_hooks(void); - #endif /* ! __LINUX_LSM_HOOKS_H */ diff --git a/security/commoncap.c b/security/commoncap.c index 2e489d6a3ac8..c928eb3fe784 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -1366,10 +1366,17 @@ struct security_hook_list capability_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(vm_enough_memory, cap_vm_enough_memory), }; -void __init capability_add_hooks(void) +static int __init capability_init(void) { security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks), "capability"); + return 0; } +DEFINE_LSM(capability) = { + .name = "capability", + .order = LSM_ORDER_FIRST, + .init = capability_init, +}; + #endif /* CONFIG_SECURITY */ diff --git a/security/security.c b/security/security.c index dac379518e60..813dab3b5b97 100644 --- a/security/security.c +++ b/security/security.c @@ -62,6 +62,10 @@ static __initdata bool debug; static bool __init is_enabled(struct lsm_info *lsm) { + /* LSM_ORDER_FIRST is always enabled. */ + if (lsm->order == LSM_ORDER_FIRST) + return true; + if (WARN_ON(!lsm->enabled)) return false; @@ -306,11 +310,6 @@ int __init security_init(void) /* Figure out which LSMs are enabled and disabled. */ prepare_lsm_enable(); - /* - * Load minor LSMs, with the capability module always first. - */ - capability_add_hooks(); - /* Load LSMs in specified order. */ prepare_lsm_order(); ordered_lsm_init(); From patchwork Tue Oct 2 00:55:04 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622905 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8FDE3174A for ; Tue, 2 Oct 2018 00:55:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7B8C428684 for ; Tue, 2 Oct 2018 00:55:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6F725286C4; Tue, 2 Oct 2018 00:55:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id ED59828684 for ; Tue, 2 Oct 2018 00:55:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726710AbeJBHgG (ORCPT ); Tue, 2 Oct 2018 03:36:06 -0400 Received: from mail-it1-f195.google.com ([209.85.166.195]:36166 "EHLO mail-it1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727284AbeJBHf5 (ORCPT ); Tue, 2 Oct 2018 03:35:57 -0400 Received: by mail-it1-f195.google.com with SMTP id c85-v6so1091397itd.1 for ; Mon, 01 Oct 2018 17:55:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=mIdjYFq7c7fTSRHDRwel+J92+FbxHNrJN5VYoG9wIDw=; b=BfoqLPXHxS93a/rzG/RVvfy+1Iq2aaNB5YzWDrysVIaxLdWw4ehaA2CZvl9Z9zHI96 2LQJlqERAi6K4wDOcLfhdsnl9Y26y+WRtuKNULt/9hYyFfikUF9eOeKLy5yNg+BbdFPJ /8cUXpz0dMgGR4zDMQvHVQlbj0h3fi3jlodDY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=mIdjYFq7c7fTSRHDRwel+J92+FbxHNrJN5VYoG9wIDw=; b=lkz/C8ij5oV0y3PtdkL5z86xy+Y/HxZ8IllWveRI02TvBowf8hssW16kLcvybbm1jC Yk5Vh33TU07aPrpAkvlrvmkO1Ykdy6ouI+qxAKXQ0QsTStJPA3WTt695V6+vQ6oFJaCb KBqUatoV0rQ0XPqSMu+7XyRTbeQMeUKs7f/NfjCARhdak51RyVZMDARhf3/CQVirOM5Q NJor4bVM5g9GZ4bMy8F31V6dmS9OeSe5SxqDeoOnxsUi3t4GPhIMWH0eGDCEe7G6Wbfb 97iKTzrvtN3UuhwgG9G8vlAG6JiU3yM8I+UQLW71vTgy9vyYXany/6XB75MEvNT3x5A9 UD8w== X-Gm-Message-State: ABuFfoiKvQvx/lzcWoJI3iUE132v+D1ZYzAmKk2PBRMJarDOwgaEqvJD UlpcPZQW5CsTJBXR3y4SP7MEWg== X-Google-Smtp-Source: ACcGV61bYTcllSbQSE6iCf++jH0jSlvI9K8UkWobmBPZcKEWmJ0mZxzh/SXlpclmCIFbzD6V+C7mCQ== X-Received: by 2002:a63:1624:: with SMTP id w36-v6mr12343353pgl.409.1538441728333; Mon, 01 Oct 2018 17:55:28 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id q23-v6sm22030901pfd.44.2018.10.01.17.55.19 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 17:55:25 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 31/32] LSM: Separate idea of "major" LSM from "exclusive" LSM Date: Mon, 1 Oct 2018 17:55:04 -0700 Message-Id: <20181002005505.6112-32-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP In order to both support old "security=" Legacy Major LSM selection, and handling real exclusivity, this creates LSM_FLAG_EXCLUSIVE and updates the selection logic to handle them. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + security/apparmor/lsm.c | 2 +- security/security.c | 12 ++++++++++++ security/selinux/hooks.c | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- 6 files changed, 17 insertions(+), 4 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 36e7a716fdfe..2c9cf89a20ad 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2040,6 +2040,7 @@ extern void security_add_hooks(struct security_hook_list *hooks, int count, char *lsm); #define LSM_FLAG_LEGACY_MAJOR BIT(0) +#define LSM_FLAG_EXCLUSIVE BIT(1) enum lsm_order { LSM_ORDER_FIRST = -1, /* This is only for capabilities. */ diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 4cd96a66ed6f..4eb74a6f2020 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1599,7 +1599,7 @@ static int __init apparmor_init(void) DEFINE_LSM(apparmor) = { .name = "apparmor", - .flags = LSM_FLAG_LEGACY_MAJOR, + .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, .enabled = &apparmor_enabled, .init = apparmor_init, }; diff --git a/security/security.c b/security/security.c index 813dab3b5b97..7d542e78b7e8 100644 --- a/security/security.c +++ b/security/security.c @@ -52,6 +52,7 @@ static __initconst const char * const builtin_lsm_order = CONFIG_LSM_ORDER; /* Ordered list of LSMs to initialize. */ static __initdata struct lsm_info **ordered_lsms; +static __initdata struct lsm_info *exclusive; static __initdata bool debug; #define init_debug(...) \ @@ -196,6 +197,12 @@ static bool __init lsm_allowed(struct lsm_info *lsm) if (!is_enabled(lsm)) return false; + /* Not allowed if another exclusive LSM already initialized. */ + if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && exclusive) { + init_debug("exclusive disabled: %s\n", lsm->name); + return false; + } + return true; } @@ -211,6 +218,11 @@ static void __init maybe_initialize_lsm(struct lsm_info *lsm) if (enabled) { int ret; + if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && !exclusive) { + exclusive = lsm; + init_debug("exclusive: %s\n", lsm->name); + } + init_debug("initializing %s\n", lsm->name); ret = lsm->init(); WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 8f5eea097612..c070d3761ddc 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7181,7 +7181,7 @@ void selinux_complete_init(void) all processes and objects when they are created. */ DEFINE_LSM(selinux) = { .name = "selinux", - .flags = LSM_FLAG_LEGACY_MAJOR, + .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, .enabled = &selinux_enabled, .init = selinux_init, }; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index f243044d5a55..92e4baa342f8 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4881,6 +4881,6 @@ static __init int smack_init(void) */ DEFINE_LSM(smack) = { .name = "smack", - .flags = LSM_FLAG_LEGACY_MAJOR, + .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, .init = smack_init, }; diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index a46f6bc1e97c..daff7d7897ad 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -550,6 +550,6 @@ static int __init tomoyo_init(void) DEFINE_LSM(tomoyo) = { .name = "tomoyo", - .flags = LSM_FLAG_LEGACY_MAJOR, + .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, .init = tomoyo_init, }; From patchwork Tue Oct 2 00:55:05 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10622909 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D8C9F175A for ; Tue, 2 Oct 2018 00:55:42 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C48F328684 for ; Tue, 2 Oct 2018 00:55:42 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B8E7C286C4; Tue, 2 Oct 2018 00:55:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3B5C028684 for ; Tue, 2 Oct 2018 00:55:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727277AbeJBHf5 (ORCPT ); Tue, 2 Oct 2018 03:35:57 -0400 Received: from mail-io1-f65.google.com ([209.85.166.65]:36281 "EHLO mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727096AbeJBHfz (ORCPT ); Tue, 2 Oct 2018 03:35:55 -0400 Received: by mail-io1-f65.google.com with SMTP id p4-v6so264673iom.3 for ; Mon, 01 Oct 2018 17:55:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=88yNmB93L+BeJMXb+ZnphW8xbUqHcnKdcEWbXKGRC9A=; b=KSl617SZmT6xVrVo5MS9RYC65CkNeOqI8elrrzzl13+qjaa43JoaDliahLsXPxL/su iV9dDCiT7CgdNShKcQNcKuAstxIl3n3dXzeRyxw7ndGGbYIs+Ea4FvutycrVipZ/O/uK Jra0YMGH8BP8b+S/i43TNy/ruRNmpKlKAYH1M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=88yNmB93L+BeJMXb+ZnphW8xbUqHcnKdcEWbXKGRC9A=; b=gSouTkLc+WxYN/RT/GYBg6tBjkJwScVs8lWlyifetKo7hqVbPMVt7cR8q2KTNnZHrE tc1ZqGsYsI1OFcymuyPGQlIk+DvmoN9UH//BIfx5VpGckVK6zMiBHbWnkqa1+WOVq7Tq v4V5vLDH5ZjJ8y9+vGXycbQxGD3wsun3lQe+KP3PbF1fnbStDvAHsdi9NSh6dg6xs5xI Ccyx2iV41EM5YxIG/eQpbIyLmjC2qZLMjF+ORyE+qOGhU11nJfs/Mf992equVZD73wtD fKLTYIqVHeVwFVexcppHVHjoviMhrZKgk/t2pNbURJFRR3nqmDaWKqxQzmpDFW1Rhci1 EBGw== X-Gm-Message-State: ABuFfoh9H9O9m4VgP2aHk0MwtPTmbY0VKhwZR/BOm0yZ8T3K48c1VC+u /4EVN9TEYSXWjiwRZa0L2T0kLg== X-Google-Smtp-Source: ACcGV63Xf6rpQAAEnrsQzCwEHnDQOXA2rN/lP4c4Ax94cVNFBVC+BwLkBf/Uux1IQMd3NSEeXF2WqA== X-Received: by 2002:a17:902:5e3:: with SMTP id f90-v6mr14573303plf.286.1538441726356; Mon, 01 Oct 2018 17:55:26 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id h132-v6sm22401519pfc.100.2018.10.01.17.55.19 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Oct 2018 17:55:24 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v4 32/32] LSM: Add all exclusive LSMs to ordered initialization Date: Mon, 1 Oct 2018 17:55:05 -0700 Message-Id: <20181002005505.6112-33-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181002005505.6112-1-keescook@chromium.org> References: <20181002005505.6112-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This removes CONFIG_DEFAULT_SECURITY in favor of the explicit build-time ordering offered by CONFIG_LSM_ORDER, and adds all the exclusive LSMs to the ordered LSM initialization. The old meaning of CONFIG_DEFAULT_SECURITY is now captured by which exclusive LSM is listed first in the LSM order. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler --- security/Kconfig | 43 ++++--------------------------------------- security/security.c | 23 +---------------------- 2 files changed, 5 insertions(+), 61 deletions(-) diff --git a/security/Kconfig b/security/Kconfig index c459d2b4c7bd..cc8bb1c344f5 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -239,43 +239,6 @@ source security/yama/Kconfig source security/integrity/Kconfig -choice - prompt "Default security module" - default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX - default DEFAULT_SECURITY_SMACK if SECURITY_SMACK - default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO - default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR - default DEFAULT_SECURITY_DAC - - help - Select the security module that will be used by default if the - kernel parameter security= is not specified. - - config DEFAULT_SECURITY_SELINUX - bool "SELinux" if SECURITY_SELINUX=y - - config DEFAULT_SECURITY_SMACK - bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y - - config DEFAULT_SECURITY_TOMOYO - bool "TOMOYO" if SECURITY_TOMOYO=y - - config DEFAULT_SECURITY_APPARMOR - bool "AppArmor" if SECURITY_APPARMOR=y - - config DEFAULT_SECURITY_DAC - bool "Unix Discretionary Access Controls" - -endchoice - -config DEFAULT_SECURITY - string - default "selinux" if DEFAULT_SECURITY_SELINUX - default "smack" if DEFAULT_SECURITY_SMACK - default "tomoyo" if DEFAULT_SECURITY_TOMOYO - default "apparmor" if DEFAULT_SECURITY_APPARMOR - default "" if DEFAULT_SECURITY_DAC - config LSM_ENABLE string "LSMs to enable at boot time" default "all" @@ -293,12 +256,14 @@ config LSM_ENABLE config LSM_ORDER string "Default initialization order of builtin LSMs" - default "yama,loadpin,integrity" + default "yama,loadpin,integrity,selinux,smack,tomoyo,apparmor" help A comma-separated list of LSMs, in initialization order. Any LSMs left off this list will be link-order initialized after any listed LSMs. Any LSMs listed here but not built in - the kernel will be ignored. + the kernel will be ignored. If the boot parameter + "lsm.order=" is used, it will override this order, with any + unlisted LSMs falling back to the order of this config, etc. If unsure, leave this as the default. diff --git a/security/security.c b/security/security.c index 7d542e78b7e8..d682342b6450 100644 --- a/security/security.c +++ b/security/security.c @@ -146,7 +146,6 @@ static void __init parse_lsm_order(const char *order, const char *origin) for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { if (lsm->order == LSM_ORDER_MUTABLE && - (lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0 && strcmp(lsm->name, name) == 0) { append_ordered_lsm(lsm, origin); found = true; @@ -178,8 +177,7 @@ static void __init prepare_lsm_order(void) /* Add any missing LSMs, in link order. */ for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { - if (lsm->order == LSM_ORDER_MUTABLE && - (lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) + if (lsm->order == LSM_ORDER_MUTABLE) append_ordered_lsm(lsm, "link-time"); } @@ -237,18 +235,6 @@ static void __init ordered_lsm_init(void) maybe_initialize_lsm(*lsm); } -static void __init major_lsm_init(void) -{ - struct lsm_info *lsm; - - for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { - if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) - continue; - - maybe_initialize_lsm(lsm); - } -} - static void __init parse_lsm_enable(const char *str, bool enabled) { @@ -282,8 +268,6 @@ static void __init prepare_lsm_enable(void) parse_lsm_enable(chosen_lsm_disable, false); /* Process "security=", if given. */ - if (!chosen_major_lsm) - chosen_major_lsm = CONFIG_DEFAULT_SECURITY; if (chosen_major_lsm) { struct lsm_info *lsm; @@ -326,11 +310,6 @@ int __init security_init(void) prepare_lsm_order(); ordered_lsm_init(); - /* - * Load all the remaining security modules. - */ - major_lsm_init(); - kfree(ordered_lsms); return 0; }