Skip to content

Commit c91d810

Browse files
cschauflerkees
authored andcommitted
LSM: Add all exclusive LSMs to ordered initialization
This removes CONFIG_DEFAULT_SECURITY in favor of the explicit ordering offered by CONFIG_LSM and adds all the exclusive LSMs to the ordered LSM initialization. The old meaning of CONFIG_DEFAULT_SECURITY is now captured by which exclusive LSM is listed first in the LSM order. All LSMs not added to the ordered list are explicitly disabled. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
1 parent be6ec88 commit c91d810

File tree

1 file changed

+20
-25
lines changed

1 file changed

+20
-25
lines changed

security/security.c

Lines changed: 20 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -169,8 +169,6 @@ static void __init ordered_lsm_parse(const char *order, const char *origin)
169169
char *sep, *name, *next;
170170

171171
/* Process "security=", if given. */
172-
if (!chosen_major_lsm)
173-
chosen_major_lsm = CONFIG_DEFAULT_SECURITY;
174172
if (chosen_major_lsm) {
175173
struct lsm_info *major;
176174

@@ -198,8 +196,7 @@ static void __init ordered_lsm_parse(const char *order, const char *origin)
198196
bool found = false;
199197

200198
for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
201-
if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0 &&
202-
strcmp(lsm->name, name) == 0) {
199+
if (strcmp(lsm->name, name) == 0) {
203200
append_ordered_lsm(lsm, origin);
204201
found = true;
205202
}
@@ -208,6 +205,25 @@ static void __init ordered_lsm_parse(const char *order, const char *origin)
208205
if (!found)
209206
init_debug("%s ignored: %s\n", origin, name);
210207
}
208+
209+
/* Process "security=", if given. */
210+
if (chosen_major_lsm) {
211+
for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
212+
if (exists_ordered_lsm(lsm))
213+
continue;
214+
if (strcmp(lsm->name, chosen_major_lsm) == 0)
215+
append_ordered_lsm(lsm, "security=");
216+
}
217+
}
218+
219+
/* Disable all LSMs not in the ordered list. */
220+
for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
221+
if (exists_ordered_lsm(lsm))
222+
continue;
223+
set_enabled(lsm, false);
224+
init_debug("%s disabled: %s\n", origin, lsm->name);
225+
}
226+
211227
kfree(sep);
212228
}
213229

@@ -229,22 +245,6 @@ static void __init ordered_lsm_init(void)
229245
kfree(ordered_lsms);
230246
}
231247

232-
static void __init major_lsm_init(void)
233-
{
234-
struct lsm_info *lsm;
235-
236-
for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
237-
if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0)
238-
continue;
239-
240-
/* Enable this LSM, if it is not already set. */
241-
if (!lsm->enabled)
242-
lsm->enabled = &lsm_enabled_true;
243-
244-
maybe_initialize_lsm(lsm);
245-
}
246-
}
247-
248248
/**
249249
* security_init - initializes the security framework
250250
*
@@ -271,11 +271,6 @@ int __init security_init(void)
271271
/* Load LSMs in specified order. */
272272
ordered_lsm_init();
273273

274-
/*
275-
* Load all the remaining security modules.
276-
*/
277-
major_lsm_init();
278-
279274
return 0;
280275
}
281276

0 commit comments

Comments
 (0)