Thread (46 messages) 46 messages, 5 authors, 2023-04-13

Re: [PATCH v7 02/11] LSM: Maintain a table of LSM attribute data

From: Paul Moore <paul@paul-moore.com>
Date: 2023-03-30 01:10:54
Also in: linux-security-module, lkml 

On Wed, Mar 15, 2023 at 6:47 PM Casey Schaufler [off-list ref] wrote:
As LSMs are registered add their lsm_id pointers to a table.
This will be used later for attribute reporting.

Determine the number of possible security modules based on
their respective CONFIG options. This allows the number to be
known at build time. This allows data structures and tables
to use the constant.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 include/linux/security.h |  2 ++
 security/security.c      | 44 ++++++++++++++++++++++++++++++++--------
 2 files changed, 38 insertions(+), 8 deletions(-)
...
quoted hunk ↗ jump to hunk
diff --git a/security/security.c b/security/security.c
index 58828a326024..aa84b1cf4253 100644
--- a/security/security.c
+++ b/security/security.c
@@ -513,6 +531,16 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
 {
        int i;

+       /*
+        * A security module may call security_add_hooks() more
+        * than once. Landlock is one such case.
+        */
+       if (lsm_active_cnt == 0 || lsm_idlist[lsm_active_cnt - 1] != lsmid)
+               lsm_idlist[lsm_active_cnt++] = lsmid;
+
+       if (lsm_active_cnt > LSM_COUNT)
+               panic("%s Too many LSMs registered.\n", __func__);
In addition to the fixes needed to resolve the bug identified by the
kernel test robot, I think it might be wise to do the @lsm_active_cnt
check *before* potentially adding it to the @lsm_idlist array.

        for (i = 0; i < count; i++) {
                hooks[i].lsmid = lsmid;
                hlist_add_tail_rcu(&hooks[i].list, hooks[i].head);
--
2.39.2
--
paul-moore.com
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help