[PATCH security-next v5 17/30] LSM: Introduce CONFIG_LSM
From: Kees Cook
Date: Wed Oct 10 2018 - 20:26:54 EST
This provides a way to declare LSM initialization order via the new
CONFIG_LSM. Currently only non-major LSMs are recognized. This will
be expanded in future patches.
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
---
security/Kconfig | 9 +++++++++
security/security.c | 27 ++++++++++++++++++++++-----
2 files changed, 31 insertions(+), 5 deletions(-)
diff --git a/security/Kconfig b/security/Kconfig
index 27d8b2688f75..005634f7c4bb 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -276,5 +276,14 @@ config DEFAULT_SECURITY
default "apparmor" if DEFAULT_SECURITY_APPARMOR
default "" if DEFAULT_SECURITY_DAC
+config LSM
+ string "Ordered list of enabled LSMs"
+ default "integrity"
+ help
+ A comma-separated list of LSMs, in initialization order.
+ Any LSMs left off this list will be ignored.
+
+ If unsure, leave this as the default.
+
endmenu
diff --git a/security/security.c b/security/security.c
index 9bb15d697287..1c4889bce917 100644
--- a/security/security.c
+++ b/security/security.c
@@ -48,6 +48,8 @@ char *lsm_names;
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
CONFIG_DEFAULT_SECURITY;
+static __initconst const char * const builtin_lsm_order = CONFIG_LSM;
+
/* Ordered list of LSMs to initialize. */
static __initdata struct lsm_info **ordered_lsms;
@@ -155,15 +157,30 @@ static void __init maybe_initialize_lsm(struct lsm_info *lsm)
}
}
-/* Populate ordered LSMs list from single LSM name. */
+/* Populate ordered LSMs list from comma-separated LSM name list. */
static void __init ordered_lsm_parse(const char *order, const char *origin)
{
struct lsm_info *lsm;
+ char *sep, *name, *next;
+
+ sep = kstrdup(order, GFP_KERNEL);
+ next = sep;
+ /* Walk the list, looking for matching LSMs. */
+ while ((name = strsep(&next, ",")) != NULL) {
+ bool found = false;
+
+ for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
+ if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0 &&
+ strcmp(lsm->name, name) == 0) {
+ append_ordered_lsm(lsm, origin);
+ found = true;
+ }
+ }
- for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
- if (strcmp(lsm->name, order) == 0)
- append_ordered_lsm(lsm, origin);
+ if (!found)
+ init_debug("%s ignored: %s\n", origin, name);
}
+ kfree(sep);
}
static void __init ordered_lsm_init(void)
@@ -173,7 +190,7 @@ static void __init ordered_lsm_init(void)
ordered_lsms = kcalloc(LSM_COUNT + 1, sizeof(*ordered_lsms),
GFP_KERNEL);
- ordered_lsm_parse("integrity", "builtin");
+ ordered_lsm_parse(builtin_lsm_order, "builtin");
for (lsm = ordered_lsms; *lsm; lsm++)
maybe_initialize_lsm(*lsm);
--
2.17.1