Message ID | 20230109180717.58855-3-casey@schaufler-ca.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4e01:0:0:0:0:0 with SMTP id p1csp2300433wrt; Mon, 9 Jan 2023 10:11:05 -0800 (PST) X-Google-Smtp-Source: AMrXdXs8f9fvrlPwHGItGgQPJz/TLTKZSg5l5tXWbjqDe0/4YIZDxf7yy8CKOVzStnz036RWoOti X-Received: by 2002:a17:90a:5994:b0:226:ae12:444d with SMTP id l20-20020a17090a599400b00226ae12444dmr20861155pji.43.1673287865364; Mon, 09 Jan 2023 10:11:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673287865; cv=none; d=google.com; s=arc-20160816; b=ewWp+k0DO8fGJZpgGQE4btUBiAOmGfz6bUrMnBaS4pt8av4haIm+5i+vEIqMviSzvC W+L5V2O4FsAj2ERYOuS26PDB76rH8jlvuqMHPnBKMxkD9lo+SO+ZKBcdMkuMrUDa7dvK YsW7rfbArLdlp65NpTt+dK/ZE0yXtE0OiEnWnv1w6k/aTg3HBskByZRFDiHhF3jubXmS OMOaNG2FyRH4FZzuJmDY7ON+vhFQmuxiHqAeHFQqiVrvg2Zhva/jbynMMRW9/6cVFhxH DzXAGysmS2kGu+ISCyKqbjXppGYahcLKpNz5W1LlFkn9T7KDmfSNn11qMbYGVYD0SEFw lQKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=VAdoOW0TEXJpnEZ2JjSo0tS3XBJHEDUWL+fQB6SILsY=; b=O7mXwAWzb0EP1AHZlb/ef92JlLh6634rQQUKX8XQOzZkw1dsg4YtP66z8A2ppYZzRx mT7y0Svez7XI0l/EV1bZS3jaOPxnMdnznFBh52PsHz+YIIOnnsMa2IF9W8ZYPSu2DwTx 76YE4DhRVmCMTwgvUo7uLBOHW8r0uGjBWsgF7dkORLVGEWai599bRfQTi0y49zlkdBxU DWZQMtmLB42C8SY3kE0jkuA05G7m7Jer6iRIBT2r3UnbMzs+AWjx/F+Tydl1DQaAmuK7 gE26fMj41SDReRdiHtTrZi6XTf/XSSv9vFeobarJiriae+lxCTokgrY4NReHDu4sB/J0 MaOw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=EXU0PbSG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b2-20020a17090a8c8200b0022630c5cbc8si12097716pjo.24.2023.01.09.10.10.50; Mon, 09 Jan 2023 10:11:05 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=EXU0PbSG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237277AbjAISJL (ORCPT <rfc822;syz17693488234@gmail.com> + 99 others); Mon, 9 Jan 2023 13:09:11 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56280 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237661AbjAISIe (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Mon, 9 Jan 2023 13:08:34 -0500 Received: from sonic317-38.consmr.mail.ne1.yahoo.com (sonic317-38.consmr.mail.ne1.yahoo.com [66.163.184.49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CD9EF564C8 for <linux-kernel@vger.kernel.org>; Mon, 9 Jan 2023 10:07:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1673287649; bh=VAdoOW0TEXJpnEZ2JjSo0tS3XBJHEDUWL+fQB6SILsY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=EXU0PbSGktWp86N9l6ohI6GaxpEDr1HbVUmY8tXErqH3k1ktRrTj1mFtwjBH2P6lFyUGAXOrLDiBF8odUpggX5b8G058cTwMPUCgkuhUv+mDpPbd0vhnfU2yXBO0d67wil6aroXNlyX/vFcKjl7wL/Qg6kzSBrQ8opFwYYcqUcqMeNuMxN6FBplIBjQB7QW+7/ZK3H4gg78Ln49rC4vl2jHTMCwuxNrX5Lj8CD+Ar8sKqtcz4GkWChPXxflP3K9+0VTbB62SjKltF4xgrqizn32szQRx5EB2f5Oom6piJXYIiI3KIU9PwBDTLk8iOGZ9UVXsr6m/ebAGe+GCEAz3ng== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1673287649; bh=rcE75AFLFtGYePXooNUPkhSdIU7LLdjt9iCvCuRJr6l=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=TqaPPG4TK3aW0bPBs3D1ea8utbi6Hwo6W/FaTQz3bXRkGydqEM0XQ7dpBaiPNmixEA/DhORPuQ5Kb36cmO5+iWFRbI4rfeR2D8/Gq9Yv/PFG7VUHm/aTvbryHb7KBz5H6TLP8ciTml3NlRcTEQ2dV0mQ8USVv15MZYol1ovIpeq20wsHdJrhhOtOM2T9XkyMtd4NRw0RrT4fXQONFc0qOYHVb/VJsk+7+HENb4mL7vpuSzhTL5SVb2DhePHrGzlDBzFBEfya2+3nxRTL/n9T97pfgh4Dfg+FCRbocHkzaQnIQ7zdCe18JyVuWwECX2l8Gso4CmUmiYp7EOKBCAMg8A== X-YMail-OSG: rO9f2J4VM1k0JzVNDNEFCBI0bxSgKdEL8Vq9k.YSKo62FggfhIeRWQ8zrAg90Sp Gt6bwGqBOKGn7ApGiZnR8thn0WMjLgxBcmsDWjDFM6NsnNIvmijjnZzKfP8gqu22qL4DMPcLiBrU 036n6j2YazzvZSY15KIl825QAazjzmtvTnK_w9moH4PRs.wH1FPrLrap7QXG0MAP9H5SwrWRBzxY YPapR0B8vcp7Oxgd7AslNRHo3rWj.lbwiNS9sYP6RVwoXTkkcqLGVsNaeLQiKJEJG7g8wKd_TpfV tR8rWsBhAxE.5mWQMwcmQceVXnb92oABNbW_Mp6YV9q8r5lKDldf0Z.1CMDIMbuW9o8kYH35h.4S Xa9NvLYEzJYkJQhdmjs3dS9iMUc_CTE2KeKce.p0zH6eBIna4cK.k41GlI8LOCMGYXMRTV8FLkLG 7MRQsWDgselkEDgqC8SjqPUqRdxd.N6uvPtya9y9zNeON6FY1jr70DYaDiubYeDwVmL2w7H5dvgZ VPtzKs5zgXEJxlEZ2YLRzwRQZP_yMZ8LkUI365Cq4j.FFKf17X0x.B0VPoFLjwZlRjjvDeR4ZUc4 zlEtaTL9e6MyuBNw4p373WSXz9rHy3ElK3kHraSErQ0pWIyDDEp6ruZUdCtC.3jwINWWguejNxQv w1nIP.Ne646GGysOalq2NHl_1YblUSPTYEaQgF_un5HmtPBEyL_UUpm6btZWwUfITibwmU6ztDwP oby6lmE39rnK2dwfVObPVOtovSGsa1tqUYRItZ5O_iQJjRHqDqTNsKStyslvU8emXQeaxkpzUU9p 7UDf84JCDEnoki6LUxFbTTU4sq5eNzIOIMpqgmRL8PiEtj0_zo40ICgmCNd3CXND8gzmtsO29lVl JdVKY5B44ig3ht8iSU_6IMdWEQjuAiHaqb5duy2Rr5lrJFk_9VZCyL474qpht_EabYPENhsqDBmT Cna61bwaUKxEBHJTbZk8NuYtDMpFQEa9uGUoKFCNWKOl_Kr7nGqJlus_3VHBcX9jPgyksxAtjwnk 4J4hT566g7fKWmFfNCuuBNWWpT2i5nRR89muGAR4eIVbYOX_HChH80cqkm5wdZcptruH78IvZe.x S6IlzZUDVZH2tzWw1w8ttZR3LebEIaVhsPtU28JcKcmlwVeKDYQVWrmD_QKZ4NJG6eeeQ1caw36m cR0DMQ.EFRlNGv2ePbxeA7uQBSziyVBamHxph_3IEk9VtzQG5w3pW8NWco_K2ri55IJr3.pPDBGY HrSDBfcsLcA5mZ3VxD7FNk4xYbNye982AGS2vnj0AxZBode0T.1_YuooQd0gyv13jz0DbIyw3CV1 _0W3PK7e73hBzmJPlDJXVbywPpMsy8YJ_BKF2Z0vggXDKY5x8NVGf_bBBZdYW2gRf2fJl29TW1e3 ByfU1z5TPztnb4W51y3OSNcFfd1GaSQUDgj80Ut07pINgXydvEfuhNOzHxEM4cz.eSXUQShnwEGN 3VEXmYMH2XwlEHBb7qhiYlaUg7LNBB4wQ5s05D.CUM6c00O3S9woP.r.Zuab67yKrPFxMBKAdRR3 jdGlM_RRiS6Cu_CW5zmO9h98zHDcaW6kCtS.jITN3t4y4ERdT4FZ7WwvPxC6YcdXj8Q61LXo2Ac5 Y58WSLXi90RaCb4O_p1w2qkQ534Nwz8TgUXk.vgKgurJ.C8YaXbA7lDpFzJRk7e0EghJ1sqS1Qgy vhSbsbek9p7FwhuQ1aWhH6.XEL.wMWAWGkF45bE9hV7nUFcxQv_3eC0ksXkgLJ30HNZVikbYGHFE 52MpwmIJKqS995sSukZfVgR1TmZ4Z7Y6Wa7da.wDLci2cVXd7i6tbFFg_pxtHCi3raX4opvImee. Fzn0.KJQwfFUyycUTRq6Ffh0wsqntreBRX1rIThyEEyWvKb.dcsZNwnQJ2X5Xp4J0GvK5LuRd7aF 8rdbILAPHNPRo42DKHZr0XTty6TLvgYA_7Tb1YDWIImEAIfAHCRH6nghMAv6rJGliZ8a12pKxrtj oGLQ25VX2LinD6cmh3eDDbAUVVvubWP5mUGmZeyMr7JqQVi98_CWKYQ5_LBYtkTg9STlspYLGfbT pva42h3FJV2Dv6qZeb15Z6J5JwCi4g0uPWmv8zlf6s52w2Xb7t8xJ7d1gbvF0Ejws1mWGK_m1N2s ps9I9m84.2ESxsZWVJkU6I3krGARmR.wrUhW8B6W3fr5Mttd.qWpqHZwIzId70Huq8yNVRQ3otX2 oZaUpvJXbWQdWMbwYsFJJVAgozEe0d62YAwYmt1I6 X-Sonic-MF: <casey@schaufler-ca.com> Received: from sonic.gate.mail.ne1.yahoo.com by sonic317.consmr.mail.ne1.yahoo.com with HTTP; Mon, 9 Jan 2023 18:07:29 +0000 Received: by hermes--production-bf1-5458f64d4-46wzk (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID aae4f9f8595ff7b5b642ca19e86fc157; Mon, 09 Jan 2023 18:07:28 +0000 (UTC) From: Casey Schaufler <casey@schaufler-ca.com> To: casey.schaufler@intel.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: casey@schaufler-ca.com, jmorris@namei.org, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, mic@digikod.net Subject: [PATCH v5 2/8] LSM: Maintain a table of LSM attribute data Date: Mon, 9 Jan 2023 10:07:11 -0800 Message-Id: <20230109180717.58855-3-casey@schaufler-ca.com> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230109180717.58855-1-casey@schaufler-ca.com> References: <20230109180717.58855-1-casey@schaufler-ca.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1754569496268917520?= X-GMAIL-MSGID: =?utf-8?q?1754569496268917520?= |
Series |
LSM: Three basic syscalls
|
|
Commit Message
Casey Schaufler
Jan. 9, 2023, 6:07 p.m. UTC
As LSMs are registered add their lsm_id pointers to a table.
This will be used later for attribute reporting.
Determine the number of possible security modules based on
their respective CONFIG options. This allows the number to be
known at build time. This allows data structures and tables
to use the constant.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/security.h | 2 ++
security/security.c | 44 +++++++++++++++++++++++++++++++++-------
2 files changed, 39 insertions(+), 7 deletions(-)
Comments
Greeting, FYI, we noticed WARNING:at_security/security.c:#append_ordered_lsm due to commit (built with gcc-11): commit: 98221e36622f4dde4afa923518706bd2c8870f00 ("[PATCH v5 2/8] LSM: Maintain a table of LSM attribute data") url: https://github.com/intel-lab-lkp/linux/commits/Casey-Schaufler/LSM-Maintain-a-table-of-LSM-attribute-data/20230110-030739 base: https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git 0ecc518e5c1a83fbfc6262d20d0df289eafc2207 patch link: https://lore.kernel.org/all/20230109180717.58855-3-casey@schaufler-ca.com/ patch subject: [PATCH v5 2/8] LSM: Maintain a table of LSM attribute data in testcase: boot on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace): [ 0.472992][ T0] ------------[ cut here ]------------ [ 0.472996][ T0] builtin: out of LSM slots!? [ 0.474006][ T0] WARNING: CPU: 0 PID: 0 at security/security.c:173 append_ordered_lsm (security/security.c:173 (discriminator 1)) [ 0.474995][ T0] Modules linked in: [ 0.476300][ T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.2.0-rc1-00014-g98221e36622f #1 [ 0.477324][ T0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 [ 0.478996][ T0] RIP: 0010:append_ordered_lsm (security/security.c:173 (discriminator 1)) [ 0.480366][ T0] Code: 89 f5 53 48 89 fb e8 de fe ff ff 84 c0 75 79 48 63 05 54 76 13 00 83 f8 03 75 13 48 89 ee 48 c7 c7 4d e8 67 82 e8 66 97 55 fe <0f> 0b eb 5a 48 83 7b 18 00 75 08 48 c7 43 18 28 df a3 83 8d 50 01 All code ======== 0: 89 f5 mov %esi,%ebp 2: 53 push %rbx 3: 48 89 fb mov %rdi,%rbx 6: e8 de fe ff ff callq 0xfffffffffffffee9 b: 84 c0 test %al,%al d: 75 79 jne 0x88 f: 48 63 05 54 76 13 00 movslq 0x137654(%rip),%rax # 0x13766a 16: 83 f8 03 cmp $0x3,%eax 19: 75 13 jne 0x2e 1b: 48 89 ee mov %rbp,%rsi 1e: 48 c7 c7 4d e8 67 82 mov $0xffffffff8267e84d,%rdi 25: e8 66 97 55 fe callq 0xfffffffffe559790 2a:* 0f 0b ud2 <-- trapping instruction 2c: eb 5a jmp 0x88 2e: 48 83 7b 18 00 cmpq $0x0,0x18(%rbx) 33: 75 08 jne 0x3d 35: 48 c7 43 18 28 df a3 movq $0xffffffff83a3df28,0x18(%rbx) 3c: 83 3d: 8d 50 01 lea 0x1(%rax),%edx Code starting with the faulting instruction =========================================== 0: 0f 0b ud2 2: eb 5a jmp 0x5e 4: 48 83 7b 18 00 cmpq $0x0,0x18(%rbx) 9: 75 08 jne 0x13 b: 48 c7 43 18 28 df a3 movq $0xffffffff83a3df28,0x18(%rbx) 12: 83 13: 8d 50 01 lea 0x1(%rax),%edx [ 0.481996][ T0] RSP: 0000:ffffffff82e03e90 EFLAGS: 00010286 [ 0.483388][ T0] RAX: 0000000000000000 RBX: ffffffff83ae7938 RCX: c0000000ffff7fff [ 0.484995][ T0] RDX: 0000000000000000 RSI: 0000000000027ffb RDI: 0000000000000001 [ 0.486542][ T0] RBP: ffffffff8265f33d R08: 0000000000000000 R09: 00000000ffff7fff [ 0.487490][ T0] R10: ffffffff82e03d40 R11: ffffffff831d66e8 R12: ffff888100188bd3 [ 0.488517][ T0] R13: ffff888100188ba0 R14: 0000000000000001 R15: 0000000000000000 [ 0.489495][ T0] FS: 0000000000000000(0000) GS:ffff88842fc00000(0000) knlGS:0000000000000000 [ 0.490529][ T0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 0.491364][ T0] CR2: ffff88843ffff000 CR3: 0000000002e0a000 CR4: 00000000000406b0 [ 0.492997][ T0] Call Trace: [ 0.494012][ T0] <TASK> [ 0.494774][ T0] ordered_lsm_parse (security/security.c:307) [ 0.495996][ T0] ordered_lsm_init (security/security.c:379) [ 0.496996][ T0] security_init (security/security.c:461) [ 0.498304][ T0] start_kernel (init/main.c:1129) [ 0.499310][ T0] secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:358) [ 0.500222][ T0] </TASK> [ 0.501166][ T0] ---[ end trace 0000000000000000 ]--- If you fix the issue, kindly add following tag | Reported-by: kernel test robot <yujie.liu@intel.com> | Link: https://lore.kernel.org/oe-lkp/202301110957.4f3cd38e-yujie.liu@intel.com To reproduce: # build kernel cd linux cp config-6.2.0-rc1-00014-g98221e36622f .config make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install cd <mod-install-dir> find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz git clone https://github.com/intel/lkp-tests.git cd lkp-tests bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email # if come across any failure that blocks the test, # please remove ~/.lkp and /lkp dir to run from a clean state.
On Mon, Jan 9, 2023 at 1:07 PM Casey Schaufler <casey@schaufler-ca.com> wrote: > > As LSMs are registered add their lsm_id pointers to a table. > This will be used later for attribute reporting. > > Determine the number of possible security modules based on > their respective CONFIG options. This allows the number to be > known at build time. This allows data structures and tables > to use the constant. > > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> > --- > include/linux/security.h | 2 ++ > security/security.c | 44 +++++++++++++++++++++++++++++++++------- > 2 files changed, 39 insertions(+), 7 deletions(-) > > diff --git a/include/linux/security.h b/include/linux/security.h > index 5b67f208f7de..33ed1860b96f 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -138,6 +138,8 @@ enum lockdown_reason { > }; > > extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1]; > +extern u32 lsm_active_cnt; > +extern struct lsm_id *lsm_idlist[]; > > /* These functions are in security/commoncap.c */ > extern int cap_capable(const struct cred *cred, struct user_namespace *ns, > diff --git a/security/security.c b/security/security.c > index 07a8fe7f92bf..a590fa98ddd6 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -28,12 +28,29 @@ > #include <linux/backing-dev.h> > #include <linux/string.h> > #include <linux/msg.h> > +#include <uapi/linux/lsm.h> > #include <net/flow.h> > > #define MAX_LSM_EVM_XATTR 2 > > -/* How many LSMs were built into the kernel? */ > -#define LSM_COUNT (__end_lsm_info - __start_lsm_info) > +/* > + * How many LSMs are built into the kernel as determined at > + * build time. Used to determine fixed array sizes. > + * The capability module is accounted for by CONFIG_SECURITY > + */ > +#define LSM_COUNT ( \ > + (IS_ENABLED(CONFIG_SECURITY) ? 1 : 0) + \ > + (IS_ENABLED(CONFIG_SECURITY_SELINUX) ? 1 : 0) + \ > + (IS_ENABLED(CONFIG_SECURITY_SMACK) ? 1 : 0) + \ > + (IS_ENABLED(CONFIG_SECURITY_TOMOYO) ? 1 : 0) + \ > + (IS_ENABLED(CONFIG_SECURITY_IMA) ? 1 : 0) + \ > + (IS_ENABLED(CONFIG_SECURITY_APPARMOR) ? 1 : 0) + \ > + (IS_ENABLED(CONFIG_SECURITY_YAMA) ? 1 : 0) + \ > + (IS_ENABLED(CONFIG_SECURITY_LOADPIN) ? 1 : 0) + \ > + (IS_ENABLED(CONFIG_SECURITY_SAFESETID) ? 1 : 0) + \ > + (IS_ENABLED(CONFIG_SECURITY_LOCKDOWN_LSM) ? 1 : 0) + \ > + (IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0) + \ > + (IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0)) > > /* > * These are descriptions of the reasons that can be passed to the > @@ -90,7 +107,7 @@ static __initdata const char *chosen_major_lsm; > static __initconst const char * const builtin_lsm_order = CONFIG_LSM; > > /* Ordered list of LSMs to initialize. */ > -static __initdata struct lsm_info **ordered_lsms; > +static __initdata struct lsm_info *ordered_lsms[LSM_COUNT + 1]; I'm guessing this 'LSM_COUNT + 1' logic is basically just copied from ordered_lsm_init() - which is okay - but can you remind me why it is 'LSM_COUNT + 1' and not just 'LSM_COUNT'? Based on the LSM_COUNT macro above it seems like LSM_COUNT should be enough, no? > static __initdata struct lsm_info *exclusive; > > static __initdata bool debug; > @@ -341,13 +358,16 @@ static void __init report_lsm_order(void) > pr_cont("\n"); > } > > +/* > + * Current index to use while initializing the lsm id list. > + */ > +u32 lsm_active_cnt __lsm_ro_after_init; > +struct lsm_id *lsm_idlist[LSM_COUNT] __lsm_ro_after_init; > + > static void __init ordered_lsm_init(void) > { > struct lsm_info **lsm; > > - ordered_lsms = kcalloc(LSM_COUNT + 1, sizeof(*ordered_lsms), > - GFP_KERNEL); > - > if (chosen_lsm_order) { > if (chosen_major_lsm) { > pr_warn("security=%s is ignored because it is superseded by lsm=%s\n", > @@ -388,7 +408,7 @@ static void __init ordered_lsm_init(void) > for (lsm = ordered_lsms; *lsm; lsm++) > initialize_lsm(*lsm); > > - kfree(ordered_lsms); > + init_debug("lsm count = %d\n", lsm_active_cnt); > } Given 86ef3c735ec8 ("LSM: Better reporting of actual LSMs at boot"), is this needed? -- paul-moore.com
On 1/11/2023 1:01 PM, Paul Moore wrote: > On Mon, Jan 9, 2023 at 1:07 PM Casey Schaufler <casey@schaufler-ca.com> wrote: >> As LSMs are registered add their lsm_id pointers to a table. >> This will be used later for attribute reporting. >> >> Determine the number of possible security modules based on >> their respective CONFIG options. This allows the number to be >> known at build time. This allows data structures and tables >> to use the constant. >> >> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> >> --- >> include/linux/security.h | 2 ++ >> security/security.c | 44 +++++++++++++++++++++++++++++++++------- >> 2 files changed, 39 insertions(+), 7 deletions(-) >> >> diff --git a/include/linux/security.h b/include/linux/security.h >> index 5b67f208f7de..33ed1860b96f 100644 >> --- a/include/linux/security.h >> +++ b/include/linux/security.h >> @@ -138,6 +138,8 @@ enum lockdown_reason { >> }; >> >> extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1]; >> +extern u32 lsm_active_cnt; >> +extern struct lsm_id *lsm_idlist[]; >> >> /* These functions are in security/commoncap.c */ >> extern int cap_capable(const struct cred *cred, struct user_namespace *ns, >> diff --git a/security/security.c b/security/security.c >> index 07a8fe7f92bf..a590fa98ddd6 100644 >> --- a/security/security.c >> +++ b/security/security.c >> @@ -28,12 +28,29 @@ >> #include <linux/backing-dev.h> >> #include <linux/string.h> >> #include <linux/msg.h> >> +#include <uapi/linux/lsm.h> >> #include <net/flow.h> >> >> #define MAX_LSM_EVM_XATTR 2 >> >> -/* How many LSMs were built into the kernel? */ >> -#define LSM_COUNT (__end_lsm_info - __start_lsm_info) >> +/* >> + * How many LSMs are built into the kernel as determined at >> + * build time. Used to determine fixed array sizes. >> + * The capability module is accounted for by CONFIG_SECURITY >> + */ >> +#define LSM_COUNT ( \ >> + (IS_ENABLED(CONFIG_SECURITY) ? 1 : 0) + \ >> + (IS_ENABLED(CONFIG_SECURITY_SELINUX) ? 1 : 0) + \ >> + (IS_ENABLED(CONFIG_SECURITY_SMACK) ? 1 : 0) + \ >> + (IS_ENABLED(CONFIG_SECURITY_TOMOYO) ? 1 : 0) + \ >> + (IS_ENABLED(CONFIG_SECURITY_IMA) ? 1 : 0) + \ >> + (IS_ENABLED(CONFIG_SECURITY_APPARMOR) ? 1 : 0) + \ >> + (IS_ENABLED(CONFIG_SECURITY_YAMA) ? 1 : 0) + \ >> + (IS_ENABLED(CONFIG_SECURITY_LOADPIN) ? 1 : 0) + \ >> + (IS_ENABLED(CONFIG_SECURITY_SAFESETID) ? 1 : 0) + \ >> + (IS_ENABLED(CONFIG_SECURITY_LOCKDOWN_LSM) ? 1 : 0) + \ >> + (IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0) + \ >> + (IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0)) >> >> /* >> * These are descriptions of the reasons that can be passed to the >> @@ -90,7 +107,7 @@ static __initdata const char *chosen_major_lsm; >> static __initconst const char * const builtin_lsm_order = CONFIG_LSM; >> >> /* Ordered list of LSMs to initialize. */ >> -static __initdata struct lsm_info **ordered_lsms; >> +static __initdata struct lsm_info *ordered_lsms[LSM_COUNT + 1]; > I'm guessing this 'LSM_COUNT + 1' logic is basically just copied from > ordered_lsm_init() - which is okay - but can you remind me why it is > 'LSM_COUNT + 1' and not just 'LSM_COUNT'? Based on the LSM_COUNT > macro above it seems like LSM_COUNT should be enough, no? Yup. I didn't spend a lot of time investigating why the + 1. I'll look more deeply and correct if appropriate. >> static __initdata struct lsm_info *exclusive; >> >> static __initdata bool debug; >> @@ -341,13 +358,16 @@ static void __init report_lsm_order(void) >> pr_cont("\n"); >> } >> >> +/* >> + * Current index to use while initializing the lsm id list. >> + */ >> +u32 lsm_active_cnt __lsm_ro_after_init; >> +struct lsm_id *lsm_idlist[LSM_COUNT] __lsm_ro_after_init; >> + >> static void __init ordered_lsm_init(void) >> { >> struct lsm_info **lsm; >> >> - ordered_lsms = kcalloc(LSM_COUNT + 1, sizeof(*ordered_lsms), >> - GFP_KERNEL); >> - >> if (chosen_lsm_order) { >> if (chosen_major_lsm) { >> pr_warn("security=%s is ignored because it is superseded by lsm=%s\n", >> @@ -388,7 +408,7 @@ static void __init ordered_lsm_init(void) >> for (lsm = ordered_lsms; *lsm; lsm++) >> initialize_lsm(*lsm); >> >> - kfree(ordered_lsms); >> + init_debug("lsm count = %d\n", lsm_active_cnt); >> } > Given 86ef3c735ec8 ("LSM: Better reporting of actual LSMs at boot"), > is this needed? None of what comes out from lsm.debug is strictly necessary, and human or script can parse "initializing lsm=", but sometimes the number of LSMs is interesting. > > -- > paul-moore.com
On Wed, Jan 11, 2023 at 7:36 PM Casey Schaufler <casey@schaufler-ca.com> wrote: > On 1/11/2023 1:01 PM, Paul Moore wrote: > > On Mon, Jan 9, 2023 at 1:07 PM Casey Schaufler <casey@schaufler-ca.com> wrote: > >> As LSMs are registered add their lsm_id pointers to a table. > >> This will be used later for attribute reporting. > >> > >> Determine the number of possible security modules based on > >> their respective CONFIG options. This allows the number to be > >> known at build time. This allows data structures and tables > >> to use the constant. > >> > >> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> > >> --- > >> include/linux/security.h | 2 ++ > >> security/security.c | 44 +++++++++++++++++++++++++++++++++------- > >> 2 files changed, 39 insertions(+), 7 deletions(-) ... > >> diff --git a/security/security.c b/security/security.c > >> index 07a8fe7f92bf..a590fa98ddd6 100644 > >> --- a/security/security.c > >> +++ b/security/security.c > >> @@ -388,7 +408,7 @@ static void __init ordered_lsm_init(void) > >> for (lsm = ordered_lsms; *lsm; lsm++) > >> initialize_lsm(*lsm); > >> > >> - kfree(ordered_lsms); > >> + init_debug("lsm count = %d\n", lsm_active_cnt); > >> } > > Given 86ef3c735ec8 ("LSM: Better reporting of actual LSMs at boot"), > > is this needed? > > None of what comes out from lsm.debug is strictly necessary, and > human or script can parse "initializing lsm=", but sometimes the > number of LSMs is interesting. I guess what I was questioning is if printing the @lsm_active_cnt variable provides any better information that what is already provided by commit 86ef3c735ec8? We currently print the enabled/active LSMs with lsm.debug, printing a count seems a bit redundant to me.
diff --git a/include/linux/security.h b/include/linux/security.h index 5b67f208f7de..33ed1860b96f 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -138,6 +138,8 @@ enum lockdown_reason { }; extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1]; +extern u32 lsm_active_cnt; +extern struct lsm_id *lsm_idlist[]; /* These functions are in security/commoncap.c */ extern int cap_capable(const struct cred *cred, struct user_namespace *ns, diff --git a/security/security.c b/security/security.c index 07a8fe7f92bf..a590fa98ddd6 100644 --- a/security/security.c +++ b/security/security.c @@ -28,12 +28,29 @@ #include <linux/backing-dev.h> #include <linux/string.h> #include <linux/msg.h> +#include <uapi/linux/lsm.h> #include <net/flow.h> #define MAX_LSM_EVM_XATTR 2 -/* How many LSMs were built into the kernel? */ -#define LSM_COUNT (__end_lsm_info - __start_lsm_info) +/* + * How many LSMs are built into the kernel as determined at + * build time. Used to determine fixed array sizes. + * The capability module is accounted for by CONFIG_SECURITY + */ +#define LSM_COUNT ( \ + (IS_ENABLED(CONFIG_SECURITY) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_SELINUX) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_SMACK) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_TOMOYO) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_IMA) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_APPARMOR) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_YAMA) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_LOADPIN) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_SAFESETID) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_LOCKDOWN_LSM) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0)) /* * These are descriptions of the reasons that can be passed to the @@ -90,7 +107,7 @@ static __initdata const char *chosen_major_lsm; static __initconst const char * const builtin_lsm_order = CONFIG_LSM; /* Ordered list of LSMs to initialize. */ -static __initdata struct lsm_info **ordered_lsms; +static __initdata struct lsm_info *ordered_lsms[LSM_COUNT + 1]; static __initdata struct lsm_info *exclusive; static __initdata bool debug; @@ -341,13 +358,16 @@ static void __init report_lsm_order(void) pr_cont("\n"); } +/* + * Current index to use while initializing the lsm id list. + */ +u32 lsm_active_cnt __lsm_ro_after_init; +struct lsm_id *lsm_idlist[LSM_COUNT] __lsm_ro_after_init; + static void __init ordered_lsm_init(void) { struct lsm_info **lsm; - ordered_lsms = kcalloc(LSM_COUNT + 1, sizeof(*ordered_lsms), - GFP_KERNEL); - if (chosen_lsm_order) { if (chosen_major_lsm) { pr_warn("security=%s is ignored because it is superseded by lsm=%s\n", @@ -388,7 +408,7 @@ static void __init ordered_lsm_init(void) for (lsm = ordered_lsms; *lsm; lsm++) initialize_lsm(*lsm); - kfree(ordered_lsms); + init_debug("lsm count = %d\n", lsm_active_cnt); } int __init early_security_init(void) @@ -513,6 +533,16 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count, { int i; + /* + * A security module may call security_add_hooks() more + * than once. Landlock is one such case. + */ + if (lsm_active_cnt == 0 || lsm_idlist[lsm_active_cnt - 1] != lsmid) + lsm_idlist[lsm_active_cnt++] = lsmid; + + if (lsm_active_cnt > LSM_COUNT) + panic("%s Too many LSMs registered.\n", __func__); + for (i = 0; i < count; i++) { hooks[i].lsmid = lsmid; hlist_add_tail_rcu(&hooks[i].list, hooks[i].head);