Thread (14 messages) 14 messages, 5 authors, 2025-11-26

Re: [PATCH v15 3/4] lsm: count the LSMs enabled at compile time

From: Paul Moore <paul@paul-moore.com>
Date: 2024-08-22 16:27:36
Also in: bpf 

On Fri, Aug 16, 2024 at 11:43 AM KP Singh [off-list ref] wrote:
These macros are a clever trick to determine a count of the number of
LSMs that are enabled in the config to ascertain the maximum number of
static calls that need to be configured per LSM hook.

Without this one would need to generate static calls for the total
number of LSMs in the kernel (even if they are not compiled) times the
number of LSM hooks which ends up being quite wasteful.

Suggested-by: Kui-Feng Lee <redacted>
Suggested-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Song Liu <song@kernel.org>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Reviewed-by: Kees Cook <redacted>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: KP Singh <kpsingh@kernel.org>
Reviewed-by: John Johansen <john.johansen@canonical.com>
[PM: subj tweaks]
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 include/linux/args.h      |   6 +-
 include/linux/lsm_count.h | 128 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 131 insertions(+), 3 deletions(-)
 create mode 100644 include/linux/lsm_count.h
...
quoted hunk ↗ jump to hunk
diff --git a/include/linux/lsm_count.h b/include/linux/lsm_count.h
new file mode 100644
index 000000000000..73c7cc81349b
--- /dev/null
+++ b/include/linux/lsm_count.h
@@ -0,0 +1,128 @@
...

+/*
+ *  There is a trailing comma that we need to be accounted for. This is done by
+ *  using a skipped argument in __COUNT_LSMS
+ */
+#define __COUNT_LSMS(skipped_arg, args...) COUNT_ARGS(args...)
+#define COUNT_LSMS(args...) __COUNT_LSMS(args)
+
+#define MAX_LSM_COUNT                  \
+       COUNT_LSMS(                     \
+               CAPABILITIES_ENABLED    \
+               SELINUX_ENABLED         \
+               SMACK_ENABLED           \
+               APPARMOR_ENABLED        \
+               TOMOYO_ENABLED          \
+               YAMA_ENABLED            \
+               LOADPIN_ENABLED         \
+               LOCKDOWN_ENABLED        \
+               SAFESETID_ENABLED       \
+               BPF_LSM_ENABLED         \
+               LANDLOCK_ENABLED        \
+               IMA_ENABLED             \
+               EVM_ENABLED)
The above is missing an entry for IPE; I missed this during the merge,
thanks to Fan for pointing it out.  As the IPE patchset was merged
into the lsm/dev tree only a few hours before this patchset, that
isn't your fault, it's mine :)

Regardless, it should be fixed in lsm/dev now.

-- 
paul-moore.com
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help