Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2214413imm; Thu, 20 Sep 2018 09:26:26 -0700 (PDT) X-Google-Smtp-Source: ANB0VdazAAGjckGLkrNS98XH1dVNLCm9tcHx//e/E7+AI+kEv8djz2MWtrcNm00cI4m7vzjNgoKP X-Received: by 2002:a65:450a:: with SMTP id n10-v6mr37820075pgq.392.1537460786689; Thu, 20 Sep 2018 09:26:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537460786; cv=none; d=google.com; s=arc-20160816; b=uAJwAYIgd7RuSBDlD/fhjKtPP0ATBa4Ovo8dymiH0fiI4X+FE0LQyvguZR2j9o/s4a rTbUQV9GDUMZfVGQSfd7tp1HVoHjUqiDFQPDMqDgpK6QiatNvAw9sWugghXZbirePxFV gU32/IOV4FpwaIZspeJL46W5xQq0NiHnS7Tsx7vv0dBrlVEaGXMe011fyPhDDQAnKM9Z uOgloHnViOhtVx80gPXiyafOAaac+iltQGcYCh6iAuov4CygYsNi1c2ukA7KV9g9ltr3 u+mQXbWvQ5g4CCWcCjjXEUTtDhISx4fDf9uY/b4xgKKOlYDJnCb6ozCPBa85/f1zkfGA 41mg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=ADJHC4s9ZMj3ar7esgUMR6Wop3I2SGyxspuGdT2hueQ=; b=pfCLZwG/1k3Y8T/FkkR005bZ3ZT7SWDM8ewea65Z/SZj4O2ngmWqOhrzJxKpPv9jQt BoS7T+GT4kDvI6LXuN0jG/WdR4W68huQWxhu8/fFZWztCUpIUd2nDZwsj6pm690bVfRA cXvVb9dlv4/KKTW+jjMUv5PUzxMjFFnx6u/n9VYkM4i0Z5SLjIHEmzqUTSWlFOP2J7FY u+1+e5fmmW7lDxhyqBIdjXJ49ybMM6c+WLPEOeJkitl2JHAkNy2wFhoeP58R6N522XGy OQzcdovRatJOi+20NVp5RhRF45/S7IprfL1wC5vUP4A8o/1IRc4R1k/8vxlqFcej7QWf zCpA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="HEn/VfFr"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r39-v6si24269209pld.218.2018.09.20.09.26.10; Thu, 20 Sep 2018 09:26:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="HEn/VfFr"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731846AbeITWIP (ORCPT + 99 others); Thu, 20 Sep 2018 18:08:15 -0400 Received: from mail-pg1-f195.google.com ([209.85.215.195]:43327 "EHLO mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731488AbeITWIO (ORCPT ); Thu, 20 Sep 2018 18:08:14 -0400 Received: by mail-pg1-f195.google.com with SMTP id q19-v6so3809238pgn.10 for ; Thu, 20 Sep 2018 09:23:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=ADJHC4s9ZMj3ar7esgUMR6Wop3I2SGyxspuGdT2hueQ=; b=HEn/VfFrcODv2Zs3UOo8V2Mc8DuzD9WiN5o21ZG/mgRn3MHGM3SGBvAzRbCsxGC8AK 2iU1OFmw7WzJQmJZbYz5A05vdtigUc7UVYHtDzY7Cvyubw3pziU3jqIdKK0KACq9LfIa sxiBrVuo9inx3WbVEoonlp51Ei1jjYmTBKxa4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=ADJHC4s9ZMj3ar7esgUMR6Wop3I2SGyxspuGdT2hueQ=; b=fy/EzuWdbsZts1KyUHVfjzfJh4BeMD/7W8UOWD/7QhCc291sA3kQsvMXBekEoY/t9u kfG+0RnRDQl8lgW7YbrDBIh+h3wBX1gxTdpY76dXO7banqdULG5G1YaolX2mXF66j3a8 +/p5Sh2QVOxSPCmAqoHXWq5wiUdaU9pDSzDBt/ZbllDqIYLUEakc5aaVEsX8sU/A1N1P n2SM8ZYw7HEvyvPU+k3NOuUymbF5WWi1G5r3ttIAYkGSnYfZyrPkoVDObmKUeKStIBCU TcQ9Gz3Rbu9w7pyKJOlpcy/gRKlEOI3MRvNW3XixGtQwovQsE3MrXFm8wTkod82B9dJQ PwqQ== X-Gm-Message-State: APzg51COOiGUY95RYeDObV62UpH4gaBTIPDMMKJGcBCImQvpzw+CsN0H VjTzDS9zCT3/6sbRv5gQ8mjdmQ== X-Received: by 2002:a62:c699:: with SMTP id x25-v6mr42463469pfk.16.1537460638416; Thu, 20 Sep 2018 09:23:58 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id i76-v6sm9501767pgc.20.2018.09.20.09.23.48 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 20 Sep 2018 09:23:55 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH security-next v2 14/26] LSM: Lift LSM selection out of individual LSMs Date: Thu, 20 Sep 2018 09:23:26 -0700 Message-Id: <20180920162338.21060-15-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180920162338.21060-1-keescook@chromium.org> References: <20180920162338.21060-1-keescook@chromium.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org As a prerequisite to adjusting LSM selection logic in the future, this moves the selection logic up out of the individual major LSMs, making their init functions only run when actually enabled. Signed-off-by: Kees Cook --- include/linux/lsm_hooks.h | 1 - security/apparmor/lsm.c | 6 --- security/security.c | 76 ++++++++++++++++++++++---------------- security/selinux/hooks.c | 10 ----- security/smack/smack_lsm.c | 3 -- security/tomoyo/tomoyo.c | 2 - 6 files changed, 45 insertions(+), 53 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 118e12f678df..ec1c0a97dfe3 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2091,7 +2091,6 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, #define __lsm_ro_after_init __ro_after_init #endif /* CONFIG_SECURITY_WRITABLE_HOOKS */ -extern int __init security_module_enable(const char *module); extern void __init capability_add_hooks(void); #ifdef CONFIG_SECURITY_YAMA extern void __init yama_add_hooks(void); diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index d03133a267f2..5399c2f03536 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1542,12 +1542,6 @@ static int __init apparmor_init(void) { int error; - if (!apparmor_enabled || !security_module_enable("apparmor")) { - aa_info_message("AppArmor disabled by boot time parameter"); - apparmor_enabled = false; - return 0; - } - aa_secids_init(); error = aa_setup_dfa_engine(); diff --git a/security/security.c b/security/security.c index a886a978214a..85533d4e534a 100644 --- a/security/security.c +++ b/security/security.c @@ -52,33 +52,70 @@ static bool debug __initdata; pr_info(__VA_ARGS__); \ } while (0) +/* Mark an LSM's enabled flag, if it exists. */ +static void __init set_enabled(struct lsm_info *lsm, bool enabled) +{ + if (lsm->enabled) + *lsm->enabled = enabled; +} + +/* Is an LSM allowed to be enabled? */ +static bool __init lsm_allowed(struct lsm_info *lsm) +{ + /* Skip if the LSM is disabled. */ + if (lsm->enabled && !*lsm->enabled) + return false; + + /* Skip major-specific checks if not a major LSM. */ + if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) + return true; + + /* Disabled if this LSM isn't the chosen one. */ + if (strcmp(lsm->name, chosen_lsm) != 0) + return false; + + return true; +} + +/* Check if LSM should be enabled. Mark any that are disabled. */ +static void __init maybe_initialize_lsm(struct lsm_info *lsm) +{ + int enabled = lsm_allowed(lsm); + + /* Record enablement. */ + set_enabled(lsm, enabled); + + /* If selected, initialize the LSM. */ + if (enabled) { + int ret; + + init_debug("initializing %s\n", lsm->name); + ret = lsm->init(); + WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); + } +} + static void __init ordered_lsm_init(void) { struct lsm_info *lsm; - int ret; for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) != 0) continue; - init_debug("initializing %s\n", lsm->name); - ret = lsm->init(); - WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); + maybe_initialize_lsm(lsm); } } static void __init major_lsm_init(void) { struct lsm_info *lsm; - int ret; for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0) continue; - init_debug("initializing %s\n", lsm->name); - ret = lsm->init(); - WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); + maybe_initialize_lsm(lsm); } } @@ -168,29 +205,6 @@ static int lsm_append(char *new, char **result) return 0; } -/** - * security_module_enable - Load given security module on boot ? - * @module: the name of the module - * - * Each LSM must pass this method before registering its own operations - * to avoid security registration races. This method may also be used - * to check if your LSM is currently loaded during kernel initialization. - * - * Returns: - * - * true if: - * - * - The passed LSM is the one chosen by user at boot time, - * - or the passed LSM is configured as the default and the user did not - * choose an alternate LSM at boot time. - * - * Otherwise, return false. - */ -int __init security_module_enable(const char *module) -{ - return !strcmp(module, chosen_lsm); -} - /** * security_add_hooks - Add a modules hooks to the hook lists. * @hooks: the hooks to add diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3f999ed98cfd..409a9252aeb6 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7133,16 +7133,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { static __init int selinux_init(void) { - if (!security_module_enable("selinux")) { - selinux_enabled = 0; - return 0; - } - - if (!selinux_enabled) { - pr_info("SELinux: Disabled at boot.\n"); - return 0; - } - pr_info("SELinux: Initializing.\n"); memset(&selinux_state, 0, sizeof(selinux_state)); diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 4aef844fc0e2..e79fad43a8e3 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4834,9 +4834,6 @@ static __init int smack_init(void) struct cred *cred; struct task_smack *tsp; - if (!security_module_enable("smack")) - return 0; - smack_inode_cache = KMEM_CACHE(inode_smack, 0); if (!smack_inode_cache) return -ENOMEM; diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 528b6244a648..39bb994ebe09 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -540,8 +540,6 @@ static int __init tomoyo_init(void) { struct cred *cred = (struct cred *) current_cred(); - if (!security_module_enable("tomoyo")) - return 0; /* register ourselves with the security framework */ security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo"); printk(KERN_INFO "TOMOYO Linux initialized\n"); -- 2.17.1