summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKees Cook <keescook@chromium.org>2018-10-09 23:42:57 +0200
committerKees Cook <keescook@chromium.org>2019-01-08 22:18:42 +0100
commita8027fb0d188599ccdb2096f49f708bae04d86c4 (patch)
treefdef774e00b724d4ecf2eb0b997dc2ce773c8663
parentLSM: Introduce "lsm=" for boottime LSM selection (diff)
downloadlinux-a8027fb0d188599ccdb2096f49f708bae04d86c4.tar.xz
linux-a8027fb0d188599ccdb2096f49f708bae04d86c4.zip
LSM: Tie enabling logic to presence in ordered list
Until now, any LSM without an enable storage variable was considered enabled. This inverts the logic and sets defaults to true only if the LSM gets added to the ordered initialization list. (And an exception continues for the major LSMs until they are integrated into the ordered initialization in a later patch.) Signed-off-by: Kees Cook <keescook@chromium.org>
-rw-r--r--include/linux/lsm_hooks.h2
-rw-r--r--security/security.c14
2 files changed, 12 insertions, 4 deletions
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index be1581d18e3e..e28a3aa639e8 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -2047,7 +2047,7 @@ extern void security_add_hooks(struct security_hook_list *hooks, int count,
struct lsm_info {
const char *name; /* Required. */
unsigned long flags; /* Optional: flags describing LSM */
- int *enabled; /* Optional: NULL means enabled. */
+ int *enabled; /* Optional: controlled by CONFIG_LSM */
int (*init)(void); /* Required. */
};
diff --git a/security/security.c b/security/security.c
index 2e1f48e8a6f2..b6d3456978a4 100644
--- a/security/security.c
+++ b/security/security.c
@@ -63,10 +63,10 @@ static __initdata bool debug;
static bool __init is_enabled(struct lsm_info *lsm)
{
- if (!lsm->enabled || *lsm->enabled)
- return true;
+ if (!lsm->enabled)
+ return false;
- return false;
+ return *lsm->enabled;
}
/* Mark an LSM's enabled flag. */
@@ -117,7 +117,11 @@ static void __init append_ordered_lsm(struct lsm_info *lsm, const char *from)
if (WARN(last_lsm == LSM_COUNT, "%s: out of LSM slots!?\n", from))
return;
+ /* Enable this LSM, if it is not already set. */
+ if (!lsm->enabled)
+ lsm->enabled = &lsm_enabled_true;
ordered_lsms[last_lsm++] = lsm;
+
init_debug("%s ordering: %s (%sabled)\n", from, lsm->name,
is_enabled(lsm) ? "en" : "dis");
}
@@ -210,6 +214,10 @@ static void __init major_lsm_init(void)
if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0)
continue;
+ /* Enable this LSM, if it is not already set. */
+ if (!lsm->enabled)
+ lsm->enabled = &lsm_enabled_true;
+
maybe_initialize_lsm(lsm);
}
}