Commit c91d8106 authored by Casey Schaufler's avatar Casey Schaufler Committed by Kees Cook
Browse files

LSM: Add all exclusive LSMs to ordered initialization 



This removes CONFIG_DEFAULT_SECURITY in favor of the explicit ordering
offered by CONFIG_LSM and adds all the exclusive LSMs to the ordered
LSM initialization. The old meaning of CONFIG_DEFAULT_SECURITY is now
captured by which exclusive LSM is listed first in the LSM order. All
LSMs not added to the ordered list are explicitly disabled.

Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
parent be6ec88f

security/security.c

+20 −25
Original line number Diff line number Diff line
@@ -169,8 +169,6 @@ static void __init ordered_lsm_parse(const char *order, const char *origin) 
	char *sep, *name, *next;



	/* Process "security=", if given. */

	if (!chosen_major_lsm)

		chosen_major_lsm = CONFIG_DEFAULT_SECURITY;

	if (chosen_major_lsm) {

		struct lsm_info *major;
@@ -198,8 +196,7 @@ static void __init ordered_lsm_parse(const char *order, const char *origin) 
		bool found = false;



		for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {

			if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0 &&

			    strcmp(lsm->name, name) == 0) {

			if (strcmp(lsm->name, name) == 0) {

				append_ordered_lsm(lsm, origin);

				found = true;

			}
@@ -208,6 +205,25 @@ static void __init ordered_lsm_parse(const char *order, const char *origin) 
		if (!found)

			init_debug("%s ignored: %s\n", origin, name);

	}



	/* Process "security=", if given. */

	if (chosen_major_lsm) {

		for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {

			if (exists_ordered_lsm(lsm))

				continue;

			if (strcmp(lsm->name, chosen_major_lsm) == 0)

				append_ordered_lsm(lsm, "security=");

		}

	}



	/* Disable all LSMs not in the ordered list. */

	for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {

		if (exists_ordered_lsm(lsm))

			continue;

		set_enabled(lsm, false);

		init_debug("%s disabled: %s\n", origin, lsm->name);

	}



	kfree(sep);

}
@@ -229,22 +245,6 @@ static void __init ordered_lsm_init(void) 
	kfree(ordered_lsms);

}



static void __init major_lsm_init(void)

{

	struct lsm_info *lsm;



	for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {

		if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0)

			continue;



		/* Enable this LSM, if it is not already set. */

		if (!lsm->enabled)

			lsm->enabled = &lsm_enabled_true;



		maybe_initialize_lsm(lsm);

	}

}



/**

 * security_init - initializes the security framework

 *
@@ -271,11 +271,6 @@ int __init security_init(void) 
	/* Load LSMs in specified order. */

	ordered_lsm_init();



	/*

	 * Load all the remaining security modules.

	 */

	major_lsm_init();



	return 0;

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE