LSM: Add all exclusive LSMs to ordered initialization
This removes CONFIG_DEFAULT_SECURITY in favor of the explicit ordering offered by CONFIG_LSM and adds all the exclusive LSMs to the ordered LSM initialization. The old meaning of CONFIG_DEFAULT_SECURITY is now captured by which exclusive LSM is listed first in the LSM order. All LSMs not added to the ordered list are explicitly disabled. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
This commit is contained in:
Casey Schaufler
Kees Cook
Родитель
be6ec88f41
Коммит
c91d8106b3
|
|
@ -169,8 +169,6 @@ static void __init ordered_lsm_parse(const char *order, const char *origin)
|
|||
char *sep, *name, *next;
|
||||
|
||||
/* Process "security=", if given. */
|
||||
if (!chosen_major_lsm)
|
||||
chosen_major_lsm = CONFIG_DEFAULT_SECURITY;
|
||||
if (chosen_major_lsm) {
|
||||
struct lsm_info *major;
|
||||
|
||||
|
|
@ -198,8 +196,7 @@ static void __init ordered_lsm_parse(const char *order, const char *origin)
|
|||
bool found = false;
|
||||
|
||||
for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
|
||||
if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0 &&
|
||||
strcmp(lsm->name, name) == 0) {
|
||||
if (strcmp(lsm->name, name) == 0) {
|
||||
append_ordered_lsm(lsm, origin);
|
||||
found = true;
|
||||
}
|
||||
|
|
@ -208,6 +205,25 @@ static void __init ordered_lsm_parse(const char *order, const char *origin)
|
|||
if (!found)
|
||||
init_debug("%s ignored: %s\n", origin, name);
|
||||
}
|
||||
|
||||
/* Process "security=", if given. */
|
||||
if (chosen_major_lsm) {
|
||||
for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
|
||||
if (exists_ordered_lsm(lsm))
|
||||
continue;
|
||||
if (strcmp(lsm->name, chosen_major_lsm) == 0)
|
||||
append_ordered_lsm(lsm, "security=");
|
||||
}
|
||||
}
|
||||
|
||||
/* Disable all LSMs not in the ordered list. */
|
||||
for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
|
||||
if (exists_ordered_lsm(lsm))
|
||||
continue;
|
||||
set_enabled(lsm, false);
|
||||
init_debug("%s disabled: %s\n", origin, lsm->name);
|
||||
}
|
||||
|
||||
kfree(sep);
|
||||
}
|
||||
|
||||
|
|
@ -229,22 +245,6 @@ static void __init ordered_lsm_init(void)
|
|||
kfree(ordered_lsms);
|
||||
}
|
||||
|
||||
static void __init major_lsm_init(void)
|
||||
{
|
||||
struct lsm_info *lsm;
|
||||
|
||||
for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
|
||||
if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0)
|
||||
continue;
|
||||
|
||||
/* Enable this LSM, if it is not already set. */
|
||||
if (!lsm->enabled)
|
||||
lsm->enabled = &lsm_enabled_true;
|
||||
|
||||
maybe_initialize_lsm(lsm);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* security_init - initializes the security framework
|
||||
*
|
||||
|
|
@ -271,11 +271,6 @@ int __init security_init(void)
|
|||
/* Load LSMs in specified order. */
|
||||
ordered_lsm_init();
|
||||
|
||||
/*
|
||||
* Load all the remaining security modules.
|
||||
*/
|
||||
major_lsm_init();
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче