| Message ID | 20180920162338.21060-21-keescook@chromium.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | LSM: Explict LSM ordering | expand |
On 9/20/2018 9:23 AM, Kees Cook wrote: > Provide a way to reorder LSM initialization using the new "lsm.order=" > comma-separated list of LSMs. Any LSMs not listed will be added in builtin > order. > > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > Documentation/admin-guide/kernel-parameters.txt | 5 +++++ > security/security.c | 15 ++++++++++++++- > 2 files changed, 19 insertions(+), 1 deletion(-) > > diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt > index 32d323ee9218..5ac4c1056ffa 100644 > --- a/Documentation/admin-guide/kernel-parameters.txt > +++ b/Documentation/admin-guide/kernel-parameters.txt > @@ -2276,6 +2276,11 @@ > > lsm.debug [SECURITY] Enable LSM initialization debugging output. > > + lsm.order=lsm1,...,lsmN > + [SECURITY] Choose order of LSM initialization. Any > + builtin LSMs not listed here will be implicitly > + added to the list in builtin order. Added at the end of the list, or beginning of the list? > + > machvec= [IA-64] Force the use of a particular machine-vector > (machvec) in a generic kernel. > Example: machvec=hpzx1_swiotlb > diff --git a/security/security.c b/security/security.c > index 063ee2466e58..4db194f81419 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -43,6 +43,7 @@ static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain); > char *lsm_names; > /* Boot-time LSM user choice */ > static __initdata const char *chosen_major_lsm; > +static __initdata const char *chosen_lsm_order; > > static __initconst const char * const builtin_lsm_order = CONFIG_LSM_ORDER; > > @@ -136,11 +137,15 @@ static void __init parse_lsm_order(const char *order, const char *origin) > kfree(sep); > } > > -/* Populate ordered LSMs list from builtin list of LSMs. */ > +/* Populate ordered LSMs list from commandline and builtin list of LSMs. */ > static void __init prepare_lsm_order(void) > { > struct lsm_info *lsm; > > + /* Parse order from commandline, if present. */ > + if (chosen_lsm_order) > + parse_lsm_order(chosen_lsm_order, "cmdline"); > + > /* Parse order from builtin list. */ > parse_lsm_order(builtin_lsm_order, "builtin"); > > @@ -264,6 +269,14 @@ static int __init choose_major_lsm(char *str) > } > __setup("security=", choose_major_lsm); > > +/* Explicitly choose LSM initialization order. */ > +static int __init choose_lsm_order(char *str) > +{ > + chosen_lsm_order = str; > + return 1; > +} > +__setup("lsm.order=", choose_lsm_order); > + > /* Enable LSM order debugging. */ > static int __init enable_debug(char *str) > {
On Thu, Sep 20, 2018 at 5:12 PM, Casey Schaufler <casey@schaufler-ca.com> wrote: > On 9/20/2018 9:23 AM, Kees Cook wrote: >> Provide a way to reorder LSM initialization using the new "lsm.order=" >> comma-separated list of LSMs. Any LSMs not listed will be added in builtin >> order. >> >> Signed-off-by: Kees Cook <keescook@chromium.org> >> --- >> Documentation/admin-guide/kernel-parameters.txt | 5 +++++ >> security/security.c | 15 ++++++++++++++- >> 2 files changed, 19 insertions(+), 1 deletion(-) >> >> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt >> index 32d323ee9218..5ac4c1056ffa 100644 >> --- a/Documentation/admin-guide/kernel-parameters.txt >> +++ b/Documentation/admin-guide/kernel-parameters.txt >> @@ -2276,6 +2276,11 @@ >> >> lsm.debug [SECURITY] Enable LSM initialization debugging output. >> >> + lsm.order=lsm1,...,lsmN >> + [SECURITY] Choose order of LSM initialization. Any >> + builtin LSMs not listed here will be implicitly >> + added to the list in builtin order. > > Added at the end of the list, or beginning of the list? Whoops, I had an earlier version that was more clear. I meant to say "appended" instead of "added" here. Fixed for the next version. -Kees
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 32d323ee9218..5ac4c1056ffa 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2276,6 +2276,11 @@ lsm.debug [SECURITY] Enable LSM initialization debugging output. + lsm.order=lsm1,...,lsmN + [SECURITY] Choose order of LSM initialization. Any + builtin LSMs not listed here will be implicitly + added to the list in builtin order. + machvec= [IA-64] Force the use of a particular machine-vector (machvec) in a generic kernel. Example: machvec=hpzx1_swiotlb diff --git a/security/security.c b/security/security.c index 063ee2466e58..4db194f81419 100644 --- a/security/security.c +++ b/security/security.c @@ -43,6 +43,7 @@ static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain); char *lsm_names; /* Boot-time LSM user choice */ static __initdata const char *chosen_major_lsm; +static __initdata const char *chosen_lsm_order; static __initconst const char * const builtin_lsm_order = CONFIG_LSM_ORDER; @@ -136,11 +137,15 @@ static void __init parse_lsm_order(const char *order, const char *origin) kfree(sep); } -/* Populate ordered LSMs list from builtin list of LSMs. */ +/* Populate ordered LSMs list from commandline and builtin list of LSMs. */ static void __init prepare_lsm_order(void) { struct lsm_info *lsm; + /* Parse order from commandline, if present. */ + if (chosen_lsm_order) + parse_lsm_order(chosen_lsm_order, "cmdline"); + /* Parse order from builtin list. */ parse_lsm_order(builtin_lsm_order, "builtin"); @@ -264,6 +269,14 @@ static int __init choose_major_lsm(char *str) } __setup("security=", choose_major_lsm); +/* Explicitly choose LSM initialization order. */ +static int __init choose_lsm_order(char *str) +{ + chosen_lsm_order = str; + return 1; +} +__setup("lsm.order=", choose_lsm_order); + /* Enable LSM order debugging. */ static int __init enable_debug(char *str) {
Provide a way to reorder LSM initialization using the new "lsm.order=" comma-separated list of LSMs. Any LSMs not listed will be added in builtin order. Signed-off-by: Kees Cook <keescook@chromium.org> --- Documentation/admin-guide/kernel-parameters.txt | 5 +++++ security/security.c | 15 ++++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-)