Commit 13e735c0 authored by Kees Cook's avatar Kees Cook

LSM: Introduce CONFIG_LSM

This provides a way to declare LSM initialization order via the new
CONFIG_LSM. Currently only non-major LSMs are recognized. This will
be expanded in future patches.
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
parent 2d4d5119
...@@ -276,5 +276,14 @@ config DEFAULT_SECURITY ...@@ -276,5 +276,14 @@ config DEFAULT_SECURITY
default "apparmor" if DEFAULT_SECURITY_APPARMOR default "apparmor" if DEFAULT_SECURITY_APPARMOR
default "" if DEFAULT_SECURITY_DAC default "" if DEFAULT_SECURITY_DAC
config LSM
string "Ordered list of enabled LSMs"
default "integrity"
help
A comma-separated list of LSMs, in initialization order.
Any LSMs left off this list will be ignored.
If unsure, leave this as the default.
endmenu endmenu
...@@ -48,6 +48,8 @@ char *lsm_names; ...@@ -48,6 +48,8 @@ char *lsm_names;
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
CONFIG_DEFAULT_SECURITY; CONFIG_DEFAULT_SECURITY;
static __initconst const char * const builtin_lsm_order = CONFIG_LSM;
/* Ordered list of LSMs to initialize. */ /* Ordered list of LSMs to initialize. */
static __initdata struct lsm_info **ordered_lsms; static __initdata struct lsm_info **ordered_lsms;
...@@ -155,15 +157,30 @@ static void __init maybe_initialize_lsm(struct lsm_info *lsm) ...@@ -155,15 +157,30 @@ static void __init maybe_initialize_lsm(struct lsm_info *lsm)
} }
} }
/* Populate ordered LSMs list from single LSM name. */ /* Populate ordered LSMs list from comma-separated LSM name list. */
static void __init ordered_lsm_parse(const char *order, const char *origin) static void __init ordered_lsm_parse(const char *order, const char *origin)
{ {
struct lsm_info *lsm; struct lsm_info *lsm;
char *sep, *name, *next;
sep = kstrdup(order, GFP_KERNEL);
next = sep;
/* Walk the list, looking for matching LSMs. */
while ((name = strsep(&next, ",")) != NULL) {
bool found = false;
for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0 &&
strcmp(lsm->name, name) == 0) {
append_ordered_lsm(lsm, origin);
found = true;
}
}
for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { if (!found)
if (strcmp(lsm->name, order) == 0) init_debug("%s ignored: %s\n", origin, name);
append_ordered_lsm(lsm, origin);
} }
kfree(sep);
} }
static void __init ordered_lsm_init(void) static void __init ordered_lsm_init(void)
...@@ -173,7 +190,7 @@ static void __init ordered_lsm_init(void) ...@@ -173,7 +190,7 @@ static void __init ordered_lsm_init(void)
ordered_lsms = kcalloc(LSM_COUNT + 1, sizeof(*ordered_lsms), ordered_lsms = kcalloc(LSM_COUNT + 1, sizeof(*ordered_lsms),
GFP_KERNEL); GFP_KERNEL);
ordered_lsm_parse("integrity", "builtin"); ordered_lsm_parse(builtin_lsm_order, "builtin");
for (lsm = ordered_lsms; *lsm; lsm++) for (lsm = ordered_lsms; *lsm; lsm++)
maybe_initialize_lsm(*lsm); maybe_initialize_lsm(*lsm);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment