Received: by 2002:a05:6358:701b:b0:131:369:b2a3 with SMTP id 27csp449569rwo; Fri, 21 Jul 2023 14:49:29 -0700 (PDT) X-Google-Smtp-Source: APBJJlGwVDNOMf725QhVJSV4vo8ZEj+1DwQW19LvjnQU1M6kSjzm5rK3U6bF5Bq6yw2myntKYCwQ X-Received: by 2002:a17:90a:ba93:b0:256:2efc:270e with SMTP id t19-20020a17090aba9300b002562efc270emr2953332pjr.5.1689976169179; Fri, 21 Jul 2023 14:49:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689976169; cv=none; d=google.com; s=arc-20160816; b=Wh4yitKYSEZ0P/2kZmrCZGJGprsF5ETYqRe1OWBGOSyjtT9IauUjnL6azG0nfSuQH3 3HI41Kfwcpha2nnQnQnIgAK1Qi3U4s3LCJYIaWm9J7TJeUk3taTuLVLbv120P/srPm+u j5fZRpoGeGXY+QdWbTm6/7RD0askeZaymVX3Igq+qt9MptmyxB2kv7QDi2o1+L8GIkyR 9KnViI104TWZP5xbLicRMFU/Mu9g7RlZj5svb7wv70GfGXO8DqeCKwWgzt5+Z6RL1RxX Sz2Sc45NSfBsgtNHoMb1SrSxNx6m6Na7ynNVNYKAa7gnn3v+02+MuvTVfRitxFWoltJo 3A0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=1l7ane1OFS+DsoXNZ3U+AZ4KjgV57iMuNiejIQehSc4=; fh=JM//zYmQbpO2l9iQJU73V8uKueZlJ8AvZ1zLB/uPuf8=; b=terVoCk885ZRMxmiIGe7earSfpkB8qRM2PmTWW9YEcmgPdSAgGOR4WZWzSBBvan1bw MXUgYnkNzj9jFwJi6ZAdxy/f54pdtklpupQsyGBttDvAKTMLLfvIYtbdOoWw/wkW65Hr moYFfQaXuIGissmtj2tY0oSh4O2RI+BjzYUbqbkT2ZILfB8YpyqmWEWCAu5uuPsHaFUP NMfSz+htVG3b376AGXUXxT58RrzLktFp/GHfuQ3LeqIfjr3pkXc5SGaSvLcKvbyEeP5T 2qH+RJVNKcEvtAtFxZbust8ItOEGSZOM0RCbmvqEVq7bt+IuS37fEEpOrk9qL2ReCrhn xgig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=FSYL0es3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id oc6-20020a17090b1c0600b0026401b3d5besi4158891pjb.190.2023.07.21.14.49.16; Fri, 21 Jul 2023 14:49:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=FSYL0es3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230327AbjGUVki (ORCPT + 99 others); Fri, 21 Jul 2023 17:40:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51010 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229592AbjGUVkh (ORCPT ); Fri, 21 Jul 2023 17:40:37 -0400 Received: from mail-yw1-x112e.google.com (mail-yw1-x112e.google.com [IPv6:2607:f8b0:4864:20::112e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 76BDE3A85 for ; Fri, 21 Jul 2023 14:40:35 -0700 (PDT) Received: by mail-yw1-x112e.google.com with SMTP id 00721157ae682-5774335bb2aso28872127b3.0 for ; Fri, 21 Jul 2023 14:40:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1689975634; x=1690580434; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=1l7ane1OFS+DsoXNZ3U+AZ4KjgV57iMuNiejIQehSc4=; b=FSYL0es3zGYgPSbiIbE7QW63J5pU/Pp1sjBqc2fV7aNAMjPq8/ibss0ZDcKuCz0WIG W/pDwheI4n0hlntSOBzbMjuRyUCHn6J1UpZM0i7jacmbpZVhwD+bwXYSZzGaFwphlXxq mHOmwpGrQGKTdhU5PkDumCCubMwIFJBn7X46RallzhPKlwFEfXGUV4lHshAGTEFnJPAZ 7DpFyuDA12HPI8B8H1kFrbriPMQOIB6Fx6+2ImvM21lGje2l0zK5WEF6BdLcO2mfIzUl lwkWo19C1XELSkBimTW40s1NN/p5NVBEuw68hDplm+NuuKpleUFzO7ma6Wphsn1x+N4c jxPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689975634; x=1690580434; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1l7ane1OFS+DsoXNZ3U+AZ4KjgV57iMuNiejIQehSc4=; b=GTvuPWoY2Vq/AmxkMh9VaOWDrJzItwaqB9MvaEAveCXnu9Tn4KrFG77ZmhIcQGwAql xfCD/J8JnfuSSqlJ7ZPKMhFFzGaJj+JORdyG2B+UyDUYZnUP4pZx0+Dtttm4EhWpUbqs bFg0U3pJXx87fPOn8SgMCN//QEoKQAZCW/U44qy4MIp4K0XF+DkrKEdn7+MXjgh3owji zjF2xIOOsPM9M3AVRz1bsshqL13GzejEqfHcMytEEse2MQftHZCxKQdZADhZ3S61ywrG sA/66Md+mbgSzjCXxaF5HULwUho8HCwB8wlED+quh7GVS9+e3Kp4MzrTbLGSIVoAUQyy +T1w== X-Gm-Message-State: ABy/qLZU81u+z/Zu4/YL62+whmQNr/wUzFL3IeQwY24k5xXhlgvdD93q QN0Os+1sft6BiEQ+C/hkGD9nYl43vtIxGVf1fS4A X-Received: by 2002:a0d:ddd4:0:b0:577:2cac:cd49 with SMTP id g203-20020a0dddd4000000b005772caccd49mr1343753ywe.1.1689975634601; Fri, 21 Jul 2023 14:40:34 -0700 (PDT) MIME-Version: 1.0 References: <20230629195535.2590-1-casey@schaufler-ca.com> <20230629195535.2590-3-casey@schaufler-ca.com> <9b09c571-9288-73e1-18c5-9023b909a5d9@digikod.net> In-Reply-To: From: Paul Moore Date: Fri, 21 Jul 2023 17:40:23 -0400 Message-ID: Subject: Re: [PATCH v12 02/11] LSM: Maintain a table of LSM attribute data To: Casey Schaufler Cc: =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= , linux-security-module@vger.kernel.org, jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jul 14, 2023 at 3:42=E2=80=AFPM Casey Schaufler wrote: > On 7/11/2023 8:35 AM, Micka=C3=ABl Sala=C3=BCn wrote: > > On 29/06/2023 21:55, Casey Schaufler wrote: > >> As LSMs are registered add their lsm_id pointers to a table. > >> This will be used later for attribute reporting. > >> > >> Determine the number of possible security modules based on > >> their respective CONFIG options. This allows the number to be > >> known at build time. This allows data structures and tables > >> to use the constant. > >> > >> Signed-off-by: Casey Schaufler > >> Reviewed-by: Kees Cook > >> Reviewed-by: Serge Hallyn > >> --- > >> include/linux/security.h | 2 ++ > >> security/security.c | 37 +++++++++++++++++++++++++++++++++++++ > >> 2 files changed, 39 insertions(+) ... > >> diff --git a/security/security.c b/security/security.c > >> index e56714ef045a..5a699e47478b 100644 > >> --- a/security/security.c > >> +++ b/security/security.c > >> @@ -521,6 +546,18 @@ void __init security_add_hooks(struct > >> security_hook_list *hooks, int count, > >> { > >> int i; > >> + /* > >> + * A security module may call security_add_hooks() more > >> + * than once during initialization, and LSM initialization > >> + * is serialized. Landlock is one such case. > >> + * Look at the previous entry, if there is one, for duplication. > >> + */ > >> + if (lsm_active_cnt =3D=3D 0 || lsm_idlist[lsm_active_cnt - 1] != =3D > >> lsmid) { > > > > Isn't it possible to have interleaved security_add_hooks() calls? > > The initialization is serial and interleaving isn't possible. > > >> + if (lsm_active_cnt >=3D LSM_CONFIG_COUNT) > >> + panic("%s Too many LSMs registered.\n", __func__); > > > > I'm not sure we should panic, but from a security point of view it is > > critical enough=E2=80=A6 > > It's possible this should be a BUG() instance, but the panic() more > closely resembles what's nearby in the code. I think the panic() call is okay. If something is so horribly broken that we hit this case we have little option but to panic the system as booting with the LSM controls busted in such a way is very not good. There are probably those that would object to the above statement, but those people aren't likely to be building a kernel with any LSMs in the first place. --=20 paul-moore.com