Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp8298imm; Thu, 20 Sep 2018 17:04:48 -0700 (PDT) X-Google-Smtp-Source: ANB0VdazCl7gf/b9HtUOXeVh7indO6VW3oorzh81JBTW2SYZLbeC8TovhGxgseNjLp6d2MY5CgNs X-Received: by 2002:a17:902:ab94:: with SMTP id f20-v6mr42010430plr.231.1537488288849; Thu, 20 Sep 2018 17:04:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537488288; cv=none; d=google.com; s=arc-20160816; b=ERLyl5cWlNigMGGtnRbD8cCYyqkLE1i/0gubwuMCle6LKGwfX8QCONwuyKYdBca+W3 JzozEIm3ZkjlXJPEsRnAtuK4Aa3ecraAeQLcq7Oa+8lQUeFrg1jzZOXWCFWAub2aiyQc TEYZys9Qa8ZHS/Ur5dhafuqysJoE8kV9YwRziHAaLF39kuqGE7nI4amGwRvRIx6RxE4s dC/CJA/8b7jD8jUYdwMuJ23wzcONjQkNP1UG2xUoMrjayyMRVUVy5fH3E9buXiMvuz8I 5DeoLvHuMHkivZiBjykvt6AQRVYLt3+wsxRHFHS6A6eDKmsTFdU4ffINGj6Yq4OFhlDW NjOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=lL4CpPjC9K0O3d5lLk3CNEYmcKIZDt855zbcHoxfDZs=; b=plCw65TiI/2+5fXG5453glb0TBOQ2zY/1i/tqbHPMvxx+Lv3F05wFSCI+z+29x7lWG xpne9C1iRgJth6XRQsptWPmg8mXtrQUsrOIOULqz28gs1Y0IOuarhTHlWo1IIkNuVeqe EntXHkIV9dr8bvvdGAoBLu2ZemhnsDaeTe8SFEasPBr2BUj8GNhEHR81kJKHbpeNVzSO ENuAdft8BmccYy2qUtGkWnzFtTPBUcxPyNBiSRWN3gP4yun8Dwyr9pNiysSNMKi++VHF njmPbfX08Zo4h1dBECGtGqLSfug7IoUUF4VshPKd7s0QHPg12iQhjvJ/dwjudLfJmw8l jDHQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=bdiOQDSs; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z127-v6si25866482pgb.455.2018.09.20.17.04.32; Thu, 20 Sep 2018 17:04:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=bdiOQDSs; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388725AbeIUFuO (ORCPT + 99 others); Fri, 21 Sep 2018 01:50:14 -0400 Received: from sonic306-10.consmr.mail.bf2.yahoo.com ([74.6.132.49]:43311 "EHLO sonic306-10.consmr.mail.bf2.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388299AbeIUFuO (ORCPT ); Fri, 21 Sep 2018 01:50:14 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1537488249; bh=lL4CpPjC9K0O3d5lLk3CNEYmcKIZDt855zbcHoxfDZs=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=bdiOQDSsJPMNxmkxGjswv6Bu4W4LkNZVjQ9ZxULNbsjvsBgz52eHBsDUxS+3iXkVYGA9qURdO0FfYOZGxlUvtF51ZWNhx6bZNjO5EY4gxF/aGKLxXrCyHICPNgXGNhQ5HFrjGhk2+nx8jsp54F0phhHcM26rmPBpbcudWRGiPHgezH4lIx9acYLwIp8A+GEacVCm40S2eC4fq/iyzXRvaQ7dxcxeTaWmW1rpgTDj8lKJOAM6ojbWTDB/egqvpqxKlgiU12rdd1OqRrMCrnx5o4Ev9BHkUyLOpN1E5LPZIrmoUQFPJd/SC9CiBPYbXezdFCodKfo6CZoxi7w5bBKlVg== X-YMail-OSG: oGoTMioVM1nP3S6yNaEPZtbQbz9zQp8eSrtHFHv0Z3iS1jW0uPxUS98zrCyLzpI RVndyy54ObL0iTkHyWcEqSsOmpD_yMP1MxAKYttCo1gX76kz0sbkhyt8tNLVtrV2NDdsXmZaoFy6 v1gd7AcwJsJflmjnW_2enOSa9yNphmLHmVZOdgbxNXYk5gr09.tcL0dtnZOxYwBcX8AOlnjrBZ75 wtx3MSsM.al8ANpJKuRJH0S4oLHF.3IywqAFZak.Je8AjE3BlfPAl4p4IeRhsLLAplcSKfv0xWna pPHkhFVBGOxSYU8cdQ.UvkqmYk1Casbx.EVLeIHPPzRwRWvzfvXzUyAqkmF22hUZX0mW3JtOHdyN diY3zBHfzwyHCKixody24ypBY7gl5NGSI2CZnbrnDpgehcscPt_cT48GgCcOhSw_ThSRx7R8FsBY SLYeO7R2_u78GG81G3mvQx_OQHLYZWIoj26ulASo51t.pvPOa3IRnBxYXSAYXT25goHsXbHzThHn wZlF_jsvgYtuy_IDBQCqwxmcgBrz7JCub9R4o0bDUicCnn8r9nARWUtK9udBKBPaX2p1.tLpL0EZ 9yYYKEUHvOGl_GSpDa_.oNq10FHRRju7ZGLP3662cXtV2uXxzjfWsgS9ugn0.QKv8r7vjZ1phQs6 97sUQbeacNaY5SJPz.1_2eZz_7CRxmlfdsDY6zKKh.BkwQXZjVaWo8p1Wx1ulFMnWoYyvzfrgOm1 xv3fdlPfovTZ8_OVQTDc0uTZ7KWFVXHIfEcNshwen3x62DfYofpVFJ2rfsmDLrtl7vxfKYGuHySd sq44iSPzJNuTIKQBQzLuChSr3L8zekFDqtmMganoolBVyq_cnYx5rzdiEMBh1JDip4MUWGarR1xt 08PsxktQDHXBSUkVf9QjIP7AWa23vB_F6Rlj_IsKtJKg3qKqkw.dIuFOLGeaa_DvdUVj6Kaexgpq ORp7yrDR1xSxaPI1_38qKx.r9Kzq.ma_6rpfKp3fqViuzTnKI_Q3KWucowhcYuS.KidURT6OowWb 2UnQG3XklWVzYYZ3I2bKC958Wat0gfvrUqTnnBA-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.bf2.yahoo.com with HTTP; Fri, 21 Sep 2018 00:04:09 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.102]) ([67.169.65.224]) by smtp425.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 0edf393cd6d1cfd83fb5ca04c5ded83b; Fri, 21 Sep 2018 00:04:07 +0000 (UTC) Subject: Re: [PATCH security-next v2 18/26] LSM: Build ordered list of ordered LSMs for init To: Kees Cook , James Morris Cc: John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org References: <20180920162338.21060-1-keescook@chromium.org> <20180920162338.21060-19-keescook@chromium.org> From: Casey Schaufler Message-ID: Date: Thu, 20 Sep 2018 17:04:03 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20180920162338.21060-19-keescook@chromium.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 9/20/2018 9:23 AM, Kees Cook wrote: > This constructs a list of ordered LSMs to initialize, using a hard-coded > list of only "integrity": minor LSMs continue to have direct hook calls, > and major LSMs continue to initialize separately. > > Signed-off-by: Kees Cook Do you think that this mechanism will be sufficiently flexible to accommodate dynamically loaded security modules in the future? While I am not personally an advocate of dynamically loaded security modules I have been working to ensure that I haven't done anything that would actively interfere with someone who did. > --- > security/security.c | 59 +++++++++++++++++++++++++++++++++++++++------ > 1 file changed, 52 insertions(+), 7 deletions(-) > > diff --git a/security/security.c b/security/security.c > index 25a019cc4a2b..2541a512a0f7 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -34,6 +34,9 @@ > > #define MAX_LSM_EVM_XATTR 2 > > +/* How many LSMs were built into the kernel? */ > +#define LSM_COUNT (__end_lsm_info - __start_lsm_info) > + > struct security_hook_heads security_hook_heads __lsm_ro_after_init; > static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain); > > @@ -41,6 +44,9 @@ char *lsm_names; > /* Boot-time LSM user choice */ > static __initdata const char *chosen_major_lsm; > > +/* Ordered list of LSMs to initialize. */ > +static __initdata struct lsm_info **ordered_lsms; > + > static bool debug __initdata; > #define init_debug(...) \ > do { \ > @@ -74,6 +80,45 @@ static void __init set_enabled(struct lsm_info *lsm, bool enabled) > } > } > > +/* Is an LSM already listed in the ordered LSMs list? */ > +static bool __init exists_ordered_lsm(struct lsm_info *lsm) > +{ > + struct lsm_info **check; > + > + for (check = ordered_lsms; *check; check++) > + if (*check == lsm) > + return true; > + > + return false; > +} > + > +/* Append an LSM to the list of ordered LSMs to initialize. */ > +static int last_lsm __initdata; > +static void __init append_ordered_lsm(struct lsm_info *lsm, const char *from) > +{ > + /* Ignore duplicate selections. */ > + if (exists_ordered_lsm(lsm)) > + return; > + > + if (WARN(last_lsm == LSM_COUNT, "%s: out of LSM slots!?\n", from)) > + return; > + > + ordered_lsms[last_lsm++] = lsm; > + init_debug("%s ordering: %s (%sabled)\n", from, lsm->name, > + (!lsm->enabled || *lsm->enabled) ? "en" : "dis"); > +} > + > +/* Populate ordered LSMs list from hard-coded list of LSMs. */ > +static void __init prepare_lsm_order(void) > +{ > + struct lsm_info *lsm; > + > + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { > + if (strcmp(lsm->name, "integrity") == 0) > + append_ordered_lsm(lsm, "builtin"); > + } > +} > + > /* Is an LSM allowed to be enabled? */ > static bool __init lsm_allowed(struct lsm_info *lsm) > { > @@ -104,14 +149,10 @@ static void __init maybe_initialize_lsm(struct lsm_info *lsm) > > static void __init ordered_lsm_init(void) > { > - struct lsm_info *lsm; > - > - for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { > - if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) != 0) > - continue; > + struct lsm_info **lsm; > > - maybe_initialize_lsm(lsm); > - } > + for (lsm = ordered_lsms; *lsm; lsm++) > + maybe_initialize_lsm(*lsm); > } > > static void __init major_lsm_init(void) > @@ -141,6 +182,8 @@ int __init security_init(void) > for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct hlist_head); > i++) > INIT_HLIST_HEAD(&list[i]); > + ordered_lsms = kcalloc(LSM_COUNT + 1, sizeof(*ordered_lsms), > + GFP_KERNEL); > > /* Process "security=", if given. */ > if (!chosen_major_lsm) > @@ -169,6 +212,7 @@ int __init security_init(void) > loadpin_add_hooks(); > > /* Load LSMs in specified order. */ > + prepare_lsm_order(); > ordered_lsm_init(); > > /* > @@ -176,6 +220,7 @@ int __init security_init(void) > */ > major_lsm_init(); > > + kfree(ordered_lsms); > return 0; > } >