@@ -2044,6 +2044,7 @@ extern void security_add_hooks(struct security_hook_list *hooks, int count,
struct lsm_info {
const char *name; /* Populated automatically. */
unsigned long flags; /* Optional: flags describing LSM */
+ int *enabled; /* Optional: NULL means enabled. */
int (*init)(void);
};
@@ -1303,8 +1303,8 @@ bool aa_g_paranoid_load = true;
module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO);
/* Boot time disable flag */
-static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE;
-module_param_named(enabled, apparmor_enabled, bool, S_IRUGO);
+static int apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE;
+module_param_named(enabled, apparmor_enabled, int, 0444);
static int __init apparmor_enabled_setup(char *str)
{
@@ -1608,5 +1608,6 @@ static int __init apparmor_init(void)
DEFINE_LSM(apparmor)
.flags = LSM_FLAG_LEGACY_MAJOR,
+ .enabled = &apparmor_enabled,
.init = apparmor_init,
END_LSM;
@@ -7204,6 +7204,7 @@ void selinux_complete_init(void)
all processes and objects when they are created. */
DEFINE_LSM(selinux)
.flags = LSM_FLAG_LEGACY_MAJOR,
+ .enabled = &selinux_enabled,
.init = selinux_init,
END_LSM;
In preparation for lifting the "is this LSM enabled?" logic out of the individual LSMs, pass in any special enabled state tracking (as needed for SELinux, AppArmor, and LoadPin). This must be an "int" to include handling cases where "enabled" is exposed via sysctl which has no "bool" type (i.e. LoadPin's use). LoadPin's "enabled" tracking will be added later when it gets added to the "ordered LSM" stack. Signed-off-by: Kees Cook <keescook@chromium.org> --- include/linux/lsm_hooks.h | 1 + security/apparmor/lsm.c | 5 +++-- security/selinux/hooks.c | 1 + 3 files changed, 5 insertions(+), 2 deletions(-)