Thread (32 messages) 32 messages, 3 authors, 2023-07-30

Re: [PATCH v12 02/11] LSM: Maintain a table of LSM attribute data

From: Paul Moore <paul@paul-moore.com>
Date: 2023-07-21 21:40:40
Also in: linux-security-module, lkml 

On Fri, Jul 14, 2023 at 3:42 PM Casey Schaufler [off-list ref] wrote:
On 7/11/2023 8:35 AM, Mickaël Salaün wrote:
quoted
On 29/06/2023 21:55, Casey Schaufler wrote:
quoted
As LSMs are registered add their lsm_id pointers to a table.
This will be used later for attribute reporting.

Determine the number of possible security modules based on
their respective CONFIG options. This allows the number to be
known at build time. This allows data structures and tables
to use the constant.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Kees Cook <redacted>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
---
  include/linux/security.h |  2 ++
  security/security.c      | 37 +++++++++++++++++++++++++++++++++++++
  2 files changed, 39 insertions(+)
...
quoted
quoted
diff --git a/security/security.c b/security/security.c
index e56714ef045a..5a699e47478b 100644
--- a/security/security.c
+++ b/security/security.c
@@ -521,6 +546,18 @@ void __init security_add_hooks(struct
security_hook_list *hooks, int count,
  {
      int i;
  +    /*
+     * A security module may call security_add_hooks() more
+     * than once during initialization, and LSM initialization
+     * is serialized. Landlock is one such case.
+     * Look at the previous entry, if there is one, for duplication.
+     */
+    if (lsm_active_cnt == 0 || lsm_idlist[lsm_active_cnt - 1] !=
lsmid) {
Isn't it possible to have interleaved security_add_hooks() calls?
The initialization is serial and interleaving isn't possible.
quoted
quoted
+        if (lsm_active_cnt >= LSM_CONFIG_COUNT)
+            panic("%s Too many LSMs registered.\n", __func__);
I'm not sure we should panic, but from a security point of view it is
critical enough…
It's possible this should be a BUG() instance, but the panic() more
closely resembles what's nearby in the code.
I think the panic() call is okay.  If something is so horribly broken
that we hit this case we have little option but to panic the system as
booting with the LSM controls busted in such a way is very not good.

There are probably those that would object to the above statement, but
those people aren't likely to be building a kernel with any LSMs in
the first place.

-- 
paul-moore.com
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help