From patchwork Sun Sep 16 00:30:52 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10601621 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8237314DB for ; Sun, 16 Sep 2018 00:31:49 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7010C2A647 for ; Sun, 16 Sep 2018 00:31:49 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6212C2A64D; Sun, 16 Sep 2018 00:31:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C946A2A647 for ; Sun, 16 Sep 2018 00:31:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728284AbeIPFwM (ORCPT ); Sun, 16 Sep 2018 01:52:12 -0400 Received: from mail-pl1-f193.google.com ([209.85.214.193]:34485 "EHLO mail-pl1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728280AbeIPFwL (ORCPT ); Sun, 16 Sep 2018 01:52:11 -0400 Received: by mail-pl1-f193.google.com with SMTP id f6-v6so5797982plo.1 for ; Sat, 15 Sep 2018 17:31:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Ff2uCXniP35yOceinbpCsTgz/UM9QN0S8uqhE84wjE8=; b=jb216WyHsxVPsMBQCNVAs+o6i3gjvUOjAXzF3tfKSQ1AwYem9gRRSonYvA1d2xn8qx Kwl/gfbfpxJ70fF0HjcSiDULLWBjBilQFBgMiyKqjB240Gtyjb3X488uSl6R6vqYbGfw G5NSX99o+527m7Z+KT+0GKnVzyT9xoFT7w4RE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Ff2uCXniP35yOceinbpCsTgz/UM9QN0S8uqhE84wjE8=; b=oVYLRjVcaTPZ1R9p6caFnvhhfGK/HYDnhTQLZwjBy26Ky7WKtm+jOka6HthP+GFR18 RQrtAUAGaHMlH4F4BGMu2dofJqgexYqANIqJU7h078v0/5ZdWl2b454eSCrTqO/DVADQ 6FTS1K41QOUwOMiWgL73hFuEfnc2Al54pdXV2GTYaXMFtNZOGYBulCcVajK4+lJPsSCa 7OjBB0U9gzKQdp+9JBBAtDcYKuBDzJAtkgrLo6KJ000/DO/ibIxAidpO+4n36L1QFfLg 31+FZIHLDtUa1LgoDOMb8ENjVLIpr2ROcsqmyX7V2ITdLk+Swcj6p2kdt8om+KgJE6DT 7jSg== X-Gm-Message-State: APzg51D2c4a49+6NWKI40JZdXyQGFzYAtqHL6nd/ltc1xASNaMmbKuyM 3lk7MLMLMe113lAO8MMmCcSjlQ== X-Google-Smtp-Source: ANB0VdYd+iGdFv8UyIKEiydt+NBiF3Lg7A+qpiP125RIvA/eYCyVam91t2a1ojgz0N9fbzG9W6kjIw== X-Received: by 2002:a17:902:4081:: with SMTP id c1-v6mr18505314pld.169.1537057874805; Sat, 15 Sep 2018 17:31:14 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id j15-v6sm12933689pfn.52.2018.09.15.17.31.07 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 15 Sep 2018 17:31:08 -0700 (PDT) From: Kees Cook To: James Morris Cc: Kees Cook , Casey Schaufler , John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , LKLM Subject: [PATCH 11/18] LSM: Lift LSM selection out of individual LSMs Date: Sat, 15 Sep 2018 17:30:52 -0700 Message-Id: <20180916003059.1046-12-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180916003059.1046-1-keescook@chromium.org> References: <20180916003059.1046-1-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP In order to adjust LSM selection logic in the future, this moves the selection logic up out of the individual LSMs, making their init functions only run when actually enabled. Signed-off-by: Kees Cook --- include/linux/lsm_hooks.h | 1 - security/apparmor/lsm.c | 6 --- security/security.c | 75 ++++++++++++++++++++++++++------------ security/selinux/hooks.c | 10 ----- security/smack/smack_lsm.c | 3 -- security/tomoyo/tomoyo.c | 2 - 6 files changed, 51 insertions(+), 46 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 8a3a6cd26f03..6e71e1c47fa1 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2094,7 +2094,6 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, #define __lsm_ro_after_init __ro_after_init #endif /* CONFIG_SECURITY_WRITABLE_HOOKS */ -extern int __init security_module_enable(const char *module); extern void __init capability_add_hooks(void); #ifdef CONFIG_SECURITY_YAMA extern void __init yama_add_hooks(void); diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 6cd630b34c3b..56c0982b48cd 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1542,12 +1542,6 @@ static int __init apparmor_init(void) { int error; - if (!apparmor_enabled || !security_module_enable("apparmor")) { - aa_info_message("AppArmor disabled by boot time parameter"); - apparmor_enabled = false; - return 0; - } - aa_secids_init(); error = aa_setup_dfa_engine(); diff --git a/security/security.c b/security/security.c index da2a923f2609..3fedbee5f3ec 100644 --- a/security/security.c +++ b/security/security.c @@ -43,13 +43,63 @@ char *lsm_names; static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = CONFIG_DEFAULT_SECURITY; +static struct lsm_info *exclusive __initdata; + +/* Mark an LSM's enabled flag, if it exists. */ +static void __init set_enabled(struct lsm_info *lsm, bool enabled) +{ + if (lsm->enabled) + *lsm->enabled = enabled; +} + +/* Is an LSM allowed to be enabled? */ +static bool __init lsm_enabled(struct lsm_info *lsm) +{ + /* Report explicit disabling. */ + if (lsm->enabled && !*lsm->enabled) { + pr_info("%s disabled with boot parameter\n", lsm->name); + return false; + } + + /* If LSM isn't exclusive, ignore exclusive LSM selection rules. */ + if (lsm->type != LSM_TYPE_EXCLUSIVE) + return true; + + /* Disabled if another exclusive LSM already selected. */ + if (exclusive) + return false; + + /* Disabled if this LSM isn't the chosen one. */ + if (strcmp(lsm->name, chosen_lsm) != 0) + return false; + + return true; +} + +/* Check if LSM should be enabled. Mark any that are disabled. */ +static void __init maybe_enable_lsm(struct lsm_info *lsm) +{ + int enabled = lsm_enabled(lsm); + + /* Record enablement. */ + set_enabled(lsm, enabled); + + /* If selected, initialize the LSM. */ + if (enabled) { + if (lsm->type == LSM_TYPE_EXCLUSIVE) { + exclusive = lsm; + } + lsm->init(); + } +} + static void __init lsm_init(enum lsm_type type) { struct lsm_info *lsm; for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { if (lsm->type == type) - lsm->init(); + maybe_enable_lsm(lsm); } } @@ -128,29 +178,6 @@ static int lsm_append(char *new, char **result) return 0; } -/** - * security_module_enable - Load given security module on boot ? - * @module: the name of the module - * - * Each LSM must pass this method before registering its own operations - * to avoid security registration races. This method may also be used - * to check if your LSM is currently loaded during kernel initialization. - * - * Returns: - * - * true if: - * - * - The passed LSM is the one chosen by user at boot time, - * - or the passed LSM is configured as the default and the user did not - * choose an alternate LSM at boot time. - * - * Otherwise, return false. - */ -int __init security_module_enable(const char *module) -{ - return !strcmp(module, chosen_lsm); -} - /** * security_add_hooks - Add a modules hooks to the hook lists. * @hooks: the hooks to add diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 78b5afc188f3..5478abf51f3a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7133,16 +7133,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { static __init int selinux_init(void) { - if (!security_module_enable("selinux")) { - selinux_enabled = 0; - return 0; - } - - if (!selinux_enabled) { - pr_info("SELinux: Disabled at boot.\n"); - return 0; - } - pr_info("SELinux: Initializing.\n"); memset(&selinux_state, 0, sizeof(selinux_state)); diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 1e1ace718e75..6e127c357ca2 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4834,9 +4834,6 @@ static __init int smack_init(void) struct cred *cred; struct task_smack *tsp; - if (!security_module_enable("smack")) - return 0; - smack_inode_cache = KMEM_CACHE(inode_smack, 0); if (!smack_inode_cache) return -ENOMEM; diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index a280d4eab456..0471390409c5 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -540,8 +540,6 @@ static int __init tomoyo_init(void) { struct cred *cred = (struct cred *) current_cred(); - if (!security_module_enable("tomoyo")) - return 0; /* register ourselves with the security framework */ security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo"); printk(KERN_INFO "TOMOYO Linux initialized\n");