From patchwork Thu Nov 2 00:55:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: KP Singh X-Patchwork-Id: 13443219 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6ACFF15AD for ; Thu, 2 Nov 2023 00:55:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="cgt/OTlq" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 949A0C433CD; Thu, 2 Nov 2023 00:55:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1698886534; bh=iU8ghSAZArfPrUDx1mTaM7zZJqAsydpk+gAgLVDFjJM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cgt/OTlq3zkiLm/RRKBe4Km3tOJe2XiCTKRT7hJH7JIQ2jvQXogq7WbxKJ6fbr3uq DrKHn3rl14GSE5buzxro7P8tsS5nLE+L5DiSVXxUEDxFn1F7qjK1GX09ACP/xKpvkH 5M70jB0xIN2km4QOO+QzehPYc9thzyvBUy+1XRP4WEwZ1uamZzwDK7OdTHKK0wFkKM EgZfmzhKbGYXJMHiYRlS4ZA26ZjA8v5HHWOjqOw++q4oyXeDfnNS3dsvzOSOxlUxV2 bDlYkNoTLCF/79ttNRHxWfbW40tYgy7sfzCTVHsjlTPGWD2j2JOcC/zYLsmHp7aYq7 WzeDTFxUi+n1g== From: KP Singh To: linux-security-module@vger.kernel.org, bpf@vger.kernel.org Cc: paul@paul-moore.com, keescook@chromium.org, casey@schaufler-ca.com, song@kernel.org, daniel@iogearbox.net, ast@kernel.org, kpsingh@kernel.org, renauld@google.com, pabeni@redhat.com, Kui-Feng Lee , Andrii Nakryiko Subject: [PATCH v7 2/5] security: Count the LSMs enabled at compile time Date: Thu, 2 Nov 2023 01:55:18 +0100 Message-ID: <20231102005521.346983-3-kpsingh@kernel.org> X-Mailer: git-send-email 2.42.0.820.g83a721a137-goog In-Reply-To: <20231102005521.346983-1-kpsingh@kernel.org> References: <20231102005521.346983-1-kpsingh@kernel.org> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 These macros are a clever trick to determine a count of the number of LSMs that are enabled in the config to ascertain the maximum number of static calls that need to be configured per LSM hook. Without this one would need to generate static calls for the total number of LSMs in the kernel (even if they are not compiled) times the number of LSM hooks which ends up being quite wasteful. Suggested-by: Kui-Feng Lee Suggested-by: Andrii Nakryiko Acked-by: Song Liu Reviewed-by: Kees Cook Signed-off-by: KP Singh --- include/linux/lsm_count.h | 114 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 114 insertions(+) create mode 100644 include/linux/lsm_count.h diff --git a/include/linux/lsm_count.h b/include/linux/lsm_count.h new file mode 100644 index 000000000000..dbb3c8573959 --- /dev/null +++ b/include/linux/lsm_count.h @@ -0,0 +1,114 @@ +/* SPDX-License-Identifier: GPL-2.0 */ + +/* + * Copyright (C) 2023 Google LLC. + */ + +#ifndef __LINUX_LSM_COUNT_H +#define __LINUX_LSM_COUNT_H + +#include + +#ifdef CONFIG_SECURITY + +/* + * Macros to count the number of LSMs enabled in the kernel at compile time. + */ + +/* + * Capabilities is enabled when CONFIG_SECURITY is enabled. + */ +#if IS_ENABLED(CONFIG_SECURITY) +#define CAPABILITIES_ENABLED 1, +#else +#define CAPABILITIES_ENABLED +#endif + +#if IS_ENABLED(CONFIG_SECURITY_SELINUX) +#define SELINUX_ENABLED 1, +#else +#define SELINUX_ENABLED +#endif + +#if IS_ENABLED(CONFIG_SECURITY_SMACK) +#define SMACK_ENABLED 1, +#else +#define SMACK_ENABLED +#endif + +#if IS_ENABLED(CONFIG_SECURITY_APPARMOR) +#define APPARMOR_ENABLED 1, +#else +#define APPARMOR_ENABLED +#endif + +#if IS_ENABLED(CONFIG_SECURITY_TOMOYO) +#define TOMOYO_ENABLED 1, +#else +#define TOMOYO_ENABLED +#endif + +#if IS_ENABLED(CONFIG_SECURITY_YAMA) +#define YAMA_ENABLED 1, +#else +#define YAMA_ENABLED +#endif + +#if IS_ENABLED(CONFIG_SECURITY_LOADPIN) +#define LOADPIN_ENABLED 1, +#else +#define LOADPIN_ENABLED +#endif + +#if IS_ENABLED(CONFIG_SECURITY_LOCKDOWN_LSM) +#define LOCKDOWN_ENABLED 1, +#else +#define LOCKDOWN_ENABLED +#endif + +#if IS_ENABLED(CONFIG_SECURITY_SAFESETID) +#define SAFESETID_ENABLED 1, +#else +#define SAFESETID_ENABLED +#endif + +#if IS_ENABLED(CONFIG_BPF_LSM) +#define BPF_LSM_ENABLED 1, +#else +#define BPF_LSM_ENABLED +#endif + +#if IS_ENABLED(CONFIG_SECURITY_LANDLOCK) +#define LANDLOCK_ENABLED 1, +#else +#define LANDLOCK_ENABLED +#endif + +/* + * There is a trailing comma that we need to be accounted for. This is done by + * using a skipped argument in __COUNT_LSMS + */ +#define __COUNT_LSMS(skipped_arg, args...) COUNT_ARGS(args...) +#define COUNT_LSMS(args...) __COUNT_LSMS(args) + +#define MAX_LSM_COUNT \ + COUNT_LSMS( \ + CAPABILITIES_ENABLED \ + SELINUX_ENABLED \ + SMACK_ENABLED \ + APPARMOR_ENABLED \ + TOMOYO_ENABLED \ + YAMA_ENABLED \ + LOADPIN_ENABLED \ + LOCKDOWN_ENABLED \ + SAFESETID_ENABLED \ + BPF_LSM_ENABLED \ + LANDLOCK_ENABLED) + +#else + +#define MAX_LSM_COUNT 0 + +#endif /* CONFIG_SECURITY */ + +#endif /* __LINUX_LSM_COUNT_H */