Re: [PATCH v38 01/39] LSM: Identify modules by more than name
From: Georgia Garcia <hidden>
Date: 2023-03-03 15:18:47
Also in:
lkml, selinux
Hi! On Tue, 2022-09-27 at 12:53 -0700, Casey Schaufler wrote:
quoted hunk ↗ jump to hunk
Create a struct lsm_id to contain identifying information about Linux Security Modules (LSMs). At inception this contains a single member, which is the name of the module. Change the security_add_hooks() interface to use this structure. Change the individual modules to maintain their own struct lsm_id and pass it to security_add_hooks(). Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> --- include/linux/lsm_hooks.h | 11 +++++++++-- security/apparmor/lsm.c | 6 +++++- security/bpf/hooks.c | 11 ++++++++++- security/commoncap.c | 6 +++++- security/landlock/cred.c | 2 +- security/landlock/fs.c | 2 +- security/landlock/ptrace.c | 2 +- security/landlock/setup.c | 4 ++++ security/landlock/setup.h | 1 + security/loadpin/loadpin.c | 7 ++++++- security/lockdown/lockdown.c | 6 +++++- security/safesetid/lsm.c | 7 ++++++- security/security.c | 12 ++++++------ security/selinux/hooks.c | 7 ++++++- security/smack/smack_lsm.c | 6 +++++- security/tomoyo/tomoyo.c | 7 ++++++- security/yama/yama_lsm.c | 6 +++++- 17 files changed, 82 insertions(+), 21 deletions(-)diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 3aa6030302f5..23054881eb08 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h@@ -1598,6 +1598,13 @@ struct security_hook_heads {#undef LSM_HOOK } __randomize_layout; +/* + * Information that identifies a security module. + */ +struct lsm_id { + const char *lsm; /* Name of the LSM */ +}; + /* * Security module hook list structure. * For use with generic list macros for common operations.@@ -1606,7 +1613,7 @@ struct security_hook_list {struct hlist_node list; struct hlist_head *head; union security_list_options hook; - const char *lsm; + struct lsm_id *lsmid; } __randomize_layout; /*@@ -1641,7 +1648,7 @@ extern struct security_hook_heads security_hook_heads;extern char *lsm_names; extern void security_add_hooks(struct security_hook_list *hooks, int count, - const char *lsm); + struct lsm_id *lsmid); #define LSM_FLAG_LEGACY_MAJOR BIT(0) #define LSM_FLAG_EXCLUSIVE BIT(1)diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index e29cade7b662..b71f7d4159d7 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c@@ -1202,6 +1202,10 @@ struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = {.lbs_task = sizeof(struct aa_task_ctx), }; +static struct lsm_id apparmor_lsmid __lsm_ro_after_init = { + .lsm = "apparmor", +}; + static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),@@ -1897,7 +1901,7 @@ static int __init apparmor_init(void)goto buffers_out; } security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks), - "apparmor"); + &apparmor_lsmid); /* Report that AppArmor successfully initialized */ apparmor_initialized = 1;diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c index e5971fa74fd7..e50de3abfde2 100644 --- a/security/bpf/hooks.c +++ b/security/bpf/hooks.c@@ -15,9 +15,18 @@ static struct security_hook_list bpf_lsm_hooks[] __lsm_ro_after_init = {LSM_HOOK_INIT(task_free, bpf_task_storage_free), }; +/* + * slot has to be LSMBLOB_NEEDED because some of the hooks + * supplied by this module require a slot. + */ +struct lsm_id bpf_lsmid __lsm_ro_after_init = { + .lsm = "bpf", +};
Can bpf_lsmid be static too?
+
static int __init bpf_lsm_init(void)
{
- security_add_hooks(bpf_lsm_hooks, ARRAY_SIZE(bpf_lsm_hooks), "bpf");
+ security_add_hooks(bpf_lsm_hooks, ARRAY_SIZE(bpf_lsm_hooks),
+ &bpf_lsmid);
pr_info("LSM support for eBPF active\n");
return 0;
}Thanks