LSM: Add all exclusive LSMs to ordered initialization

This removes CONFIG_DEFAULT_SECURITY in favor of the explicit ordering
offered by CONFIG_LSM and adds all the exclusive LSMs to the ordered
LSM initialization. The old meaning of CONFIG_DEFAULT_SECURITY is now
captured by which exclusive LSM is listed first in the LSM order. All
LSMs not added to the ordered list are explicitly disabled.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
This commit is contained in:
Casey Schaufler 2018-11-19 18:04:32 -08:00 committed by Kees Cook
parent be6ec88f41
commit c91d8106b3

View File

@ -169,8 +169,6 @@ static void __init ordered_lsm_parse(const char *order, const char *origin)
char *sep, *name, *next; char *sep, *name, *next;
/* Process "security=", if given. */ /* Process "security=", if given. */
if (!chosen_major_lsm)
chosen_major_lsm = CONFIG_DEFAULT_SECURITY;
if (chosen_major_lsm) { if (chosen_major_lsm) {
struct lsm_info *major; struct lsm_info *major;
@ -198,8 +196,7 @@ static void __init ordered_lsm_parse(const char *order, const char *origin)
bool found = false; bool found = false;
for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0 && if (strcmp(lsm->name, name) == 0) {
strcmp(lsm->name, name) == 0) {
append_ordered_lsm(lsm, origin); append_ordered_lsm(lsm, origin);
found = true; found = true;
} }
@ -208,6 +205,25 @@ static void __init ordered_lsm_parse(const char *order, const char *origin)
if (!found) if (!found)
init_debug("%s ignored: %s\n", origin, name); init_debug("%s ignored: %s\n", origin, name);
} }
/* Process "security=", if given. */
if (chosen_major_lsm) {
for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
if (exists_ordered_lsm(lsm))
continue;
if (strcmp(lsm->name, chosen_major_lsm) == 0)
append_ordered_lsm(lsm, "security=");
}
}
/* Disable all LSMs not in the ordered list. */
for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
if (exists_ordered_lsm(lsm))
continue;
set_enabled(lsm, false);
init_debug("%s disabled: %s\n", origin, lsm->name);
}
kfree(sep); kfree(sep);
} }
@ -229,22 +245,6 @@ static void __init ordered_lsm_init(void)
kfree(ordered_lsms); kfree(ordered_lsms);
} }
static void __init major_lsm_init(void)
{
struct lsm_info *lsm;
for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0)
continue;
/* Enable this LSM, if it is not already set. */
if (!lsm->enabled)
lsm->enabled = &lsm_enabled_true;
maybe_initialize_lsm(lsm);
}
}
/** /**
* security_init - initializes the security framework * security_init - initializes the security framework
* *
@ -271,11 +271,6 @@ int __init security_init(void)
/* Load LSMs in specified order. */ /* Load LSMs in specified order. */
ordered_lsm_init(); ordered_lsm_init();
/*
* Load all the remaining security modules.
*/
major_lsm_init();
return 0; return 0;
} }