luck/tmp_suning_uos_patched
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

LoadPin: Initialize as ordered LSM

Browse Source 
This converts LoadPin from being a direct "minor" LSM into an ordered LSM.

Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
This commit is contained in:
Kees Cook 2018-09-14 15:26:37 -07:00
parent d8e9bbd4fa
commit 70b62c2566
4 changed files with 8 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
include/linux/lsm_hooks.h
View File

@ -2095,10 +2095,5 @@ extern void __init yama_add_hooks(void);
#else #else
static inline void __init yama_add_hooks(void) { } static inline void __init yama_add_hooks(void) { }
#endif #endif
#ifdef CONFIG_SECURITY_LOADPIN
void __init loadpin_add_hooks(void);
#else
static inline void loadpin_add_hooks(void) { };
#endif
#endif /* ! __LINUX_LSM_HOOKS_H */ #endif /* ! __LINUX_LSM_HOOKS_H */

39
security/Kconfig
View File

@ -239,46 +239,9 @@ source "security/yama/Kconfig"
source "security/integrity/Kconfig" source "security/integrity/Kconfig"
choice
prompt "Default security module"
default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
default DEFAULT_SECURITY_DAC
help
Select the security module that will be used by default if the
kernel parameter security= is not specified.
config DEFAULT_SECURITY_SELINUX
bool "SELinux" if SECURITY_SELINUX=y
config DEFAULT_SECURITY_SMACK
bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
config DEFAULT_SECURITY_TOMOYO
bool "TOMOYO" if SECURITY_TOMOYO=y
config DEFAULT_SECURITY_APPARMOR
bool "AppArmor" if SECURITY_APPARMOR=y
config DEFAULT_SECURITY_DAC
bool "Unix Discretionary Access Controls"
endchoice
config DEFAULT_SECURITY
string
default "selinux" if DEFAULT_SECURITY_SELINUX
default "smack" if DEFAULT_SECURITY_SMACK
default "tomoyo" if DEFAULT_SECURITY_TOMOYO
default "apparmor" if DEFAULT_SECURITY_APPARMOR
default "" if DEFAULT_SECURITY_DAC
config LSM config LSM
string "Ordered list of enabled LSMs" string "Ordered list of enabled LSMs"
default "integrity" default "loadpin,integrity,selinux,smack,tomoyo,apparmor"
help help
A comma-separated list of LSMs, in initialization order. A comma-separated list of LSMs, in initialization order.
Any LSMs left off this list will be ignored. This can be Any LSMs left off this list will be ignored. This can be

8
security/loadpin/loadpin.c
View File

@ -187,13 +187,19 @@ static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(kernel_load_data, loadpin_load_data), LSM_HOOK_INIT(kernel_load_data, loadpin_load_data),
}; };
void __init loadpin_add_hooks(void) static int __init loadpin_init(void)
{ {
pr_info("ready to pin (currently %senforcing)\n", pr_info("ready to pin (currently %senforcing)\n",
enforce ? "" : "not "); enforce ? "" : "not ");
security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin"); security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin");
return 0;
} }
DEFINE_LSM(loadpin) = {
.name = "loadpin",
.init = loadpin_init,
};
/* Should not be mutable after boot, so not listed in sysfs (perm == 0). */ /* Should not be mutable after boot, so not listed in sysfs (perm == 0). */
module_param(enforce, int, 0); module_param(enforce, int, 0);
MODULE_PARM_DESC(enforce, "Enforce module/firmware pinning"); MODULE_PARM_DESC(enforce, "Enforce module/firmware pinning");

1
security/security.c
View File

@ -275,7 +275,6 @@ int __init security_init(void)
*/ */
capability_add_hooks(); capability_add_hooks();
yama_add_hooks(); yama_add_hooks();
loadpin_add_hooks();
/* Load LSMs in specified order. */ /* Load LSMs in specified order. */
ordered_lsm_init(); ordered_lsm_init();