Add two new variables, lsm_count_prop_subj and lsm_count_prop_obj, to
count the number of lsm_prop entries for subjects and objects across all
of the enabled LSMs. Future patches will use this to continue the
conversion towards the lsm_prop struct.
Signed-off-by: Paul Moore <p...@paul-moore.com>
---
include/linux/lsm_hooks.h | 6 ++++++
security/apparmor/lsm.c | 1 +
security/bpf/hooks.c | 1 +
security/commoncap.c | 1 +
security/integrity/evm/evm_main.c | 1 +
security/integrity/ima/ima_main.c | 1 +
security/ipe/ipe.c | 1 +
security/landlock/setup.c | 1 +
security/loadpin/loadpin.c | 1 +
security/lockdown/lockdown.c | 1 +
security/lsm.h | 4 ++++
security/lsm_init.c | 6 ++++++
security/safesetid/lsm.c | 1 +
security/security.c | 3 +++
security/selinux/hooks.c | 1 +
security/smack/smack_lsm.c | 1 +
security/tomoyo/tomoyo.c | 1 +
security/yama/yama_lsm.c | 1 +
18 files changed, 33 insertions(+)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 0d2c2a017ffc..5bc144c5f685 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -71,16 +71,22 @@ struct lsm_static_calls_table {
#undef LSM_HOOK
} __packed __randomize_layout;
+#define LSM_ID_FLG_NONE 0x00000000
+#define LSM_ID_FLG_PROP_SUBJ 0x00000001
+#define LSM_ID_FLG_PROP_OBJ 0x00000002
+
/**
* struct lsm_id - Identify a Linux Security Module.
* @lsm: name of the LSM, must be approved by the LSM maintainers
* @id: LSM ID number from uapi/linux/lsm.h
+ * @flags: LSM flags, see LSM_ID_FLG_XXX
*
* Contains the information that identifies the LSM.
*/
struct lsm_id {
const char *name;
u64 id;
+ u32 flags;
};
/*
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 2fefaab6349f..db8592bed189 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1428,6 +1428,7 @@ struct lsm_blob_sizes apparmor_blob_sizes __ro_after_init
= {
static const struct lsm_id apparmor_lsmid = {
.name = "apparmor",
.id = LSM_ID_APPARMOR,
+ .flags = LSM_ID_FLG_PROP_SUBJ,
};
static struct security_hook_list apparmor_hooks[] __ro_after_init = {
diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c
index 40efde233f3a..c72df6ff69f7 100644
--- a/security/bpf/hooks.c
+++ b/security/bpf/hooks.c
@@ -18,6 +18,7 @@ static struct security_hook_list bpf_lsm_hooks[]
__ro_after_init = {
static const struct lsm_id bpf_lsmid = {
.name = "bpf",
.id = LSM_ID_BPF,
+ .flags = LSM_ID_FLG_PROP_SUBJ | LSM_ID_FLG_PROP_OBJ,
};
static int __init bpf_lsm_init(void)
diff --git a/security/commoncap.c b/security/commoncap.c
index e04aa4f50eaf..fab692104c87 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -1479,6 +1479,7 @@ int cap_mmap_addr(unsigned long addr)
static const struct lsm_id capability_lsmid = {
.name = "capability",
.id = LSM_ID_CAPABILITY,
+ .flags = LSM_ID_FLG_NONE,
};
static struct security_hook_list capability_hooks[] __ro_after_init = {
diff --git a/security/integrity/evm/evm_main.c
b/security/integrity/evm/evm_main.c
index 770d0411da2b..b3a3324f48b1 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -1162,6 +1162,7 @@ static struct security_hook_list evm_hooks[]
__ro_after_init = {
static const struct lsm_id evm_lsmid = {
.name = "evm",
.id = LSM_ID_EVM,
+ .flags = LSM_ID_FLG_NONE,
};
static int __init init_evm_lsm(void)
diff --git a/security/integrity/ima/ima_main.c
b/security/integrity/ima/ima_main.c
index 1687badafb48..d98e7815175b 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -1237,6 +1237,7 @@ static struct security_hook_list ima_hooks[]
__ro_after_init = {
static const struct lsm_id ima_lsmid = {
.name = "ima",
.id = LSM_ID_IMA,
+ .flags = LSM_ID_FLG_NONE,
};
static int __init init_ima_lsm(void)
diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
index 71644748ed56..7d9cdbc3d23a 100644
--- a/security/ipe/ipe.c
+++ b/security/ipe/ipe.c
@@ -24,6 +24,7 @@ static struct lsm_blob_sizes ipe_blobs __ro_after_init = {
static const struct lsm_id ipe_lsmid = {
.name = "ipe",
.id = LSM_ID_IPE,
+ .flags = LSM_ID_FLG_NONE,
};
struct ipe_superblock *ipe_sb(const struct super_block *sb)
diff --git a/security/landlock/setup.c b/security/landlock/setup.c
index 47dac1736f10..5c8d5693c4c7 100644
--- a/security/landlock/setup.c
+++ b/security/landlock/setup.c
@@ -25,6 +25,7 @@ bool landlock_initialized __ro_after_init = false;
const struct lsm_id landlock_lsmid = {
.name = LANDLOCK_NAME,
.id = LSM_ID_LANDLOCK,
+ .flags = LSM_ID_FLG_NONE,
};
struct lsm_blob_sizes landlock_blob_sizes __ro_after_init = {
diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c
index 273ffbd6defe..05a842c36fd8 100644
--- a/security/loadpin/loadpin.c
+++ b/security/loadpin/loadpin.c
@@ -211,6 +211,7 @@ static int loadpin_load_data(enum kernel_load_data_id id,
bool contents)
static const struct lsm_id loadpin_lsmid = {
.name = "loadpin",
.id = LSM_ID_LOADPIN,
+ .flags = LSM_ID_FLG_NONE,
};
static struct security_hook_list loadpin_hooks[] __ro_after_init = {
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 8d46886d2cca..a2396b67bfe4 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -79,6 +79,7 @@ static struct security_hook_list lockdown_hooks[]
__ro_after_init = {
static const struct lsm_id lockdown_lsmid = {
.name = "lockdown",
.id = LSM_ID_LOCKDOWN,
+ .flags = LSM_ID_FLG_NONE,
};
static int __init lockdown_lsm_init(void)
diff --git a/security/lsm.h b/security/lsm.h
index c432dc0c5e30..d1d54540da98 100644
--- a/security/lsm.h
+++ b/security/lsm.h
@@ -24,6 +24,10 @@ extern bool lsm_debug;
extern unsigned int lsm_count;
extern const struct lsm_id *lsm_idlist[];
+/* LSM property configuration */
+extern unsigned int lsm_count_prop_subj;
+extern unsigned int lsm_count_prop_obj;
+
/* LSM blob configuration */
extern struct lsm_blob_sizes blob_sizes;
diff --git a/security/lsm_init.c b/security/lsm_init.c
index cad6d243a2a6..c2ef4db055db 100644
--- a/security/lsm_init.c
+++ b/security/lsm_init.c
@@ -6,6 +6,7 @@
#define pr_fmt(fmt) "LSM: " fmt
#include <linux/init.h>
+#include <linux/lsm_count.h>
#include <linux/lsm_hooks.h>
#include "lsm.h"
@@ -189,6 +190,11 @@ static void __init lsm_order_append(struct lsm_info *lsm,
const char *src)
lsm_order[lsm_count] = lsm;
lsm_idlist[lsm_count++] = lsm->id;
+ if (lsm->id->flags & LSM_ID_FLG_PROP_SUBJ)
+ lsm_count_prop_subj++;
+ if (lsm->id->flags & LSM_ID_FLG_PROP_OBJ)
+ lsm_count_prop_obj++;
+
lsm_pr_dbg("enabling LSM %s:%s\n", src, lsm->id->name);
}
diff --git a/security/safesetid/lsm.c b/security/safesetid/lsm.c
index d5fb949050dd..ac25674376fe 100644
--- a/security/safesetid/lsm.c
+++ b/security/safesetid/lsm.c
@@ -265,6 +265,7 @@ static int safesetid_task_fix_setgroups(struct cred *new,
const struct cred *old
static const struct lsm_id safesetid_lsmid = {
.name = "safesetid",
.id = LSM_ID_SAFESETID,
+ .flags = LSM_ID_FLG_NONE,
};
static struct security_hook_list safesetid_security_hooks[] = {
diff --git a/security/security.c b/security/security.c
index cbd544d71093..2b9dde02f4de 100644
--- a/security/security.c
+++ b/security/security.c
@@ -78,6 +78,9 @@ bool lsm_debug __ro_after_init;
unsigned int lsm_count __ro_after_init;
const struct lsm_id *lsm_idlist[MAX_LSM_COUNT];
+unsigned int lsm_count_prop_subj __ro_after_init;
+unsigned int lsm_count_prop_obj __ro_after_init;
+
struct lsm_blob_sizes blob_sizes;
struct kmem_cache *lsm_file_cache;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 95b2399b1f4d..1dc4b3987af4 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -7200,6 +7200,7 @@ static int selinux_uring_allowed(void)
static const struct lsm_id selinux_lsmid = {
.name = "selinux",
.id = LSM_ID_SELINUX,
+ .flags = LSM_ID_FLG_PROP_SUBJ | LSM_ID_FLG_PROP_OBJ,
};
/*
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 80b129a0c92c..d04667a42f91 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -5042,6 +5042,7 @@ struct lsm_blob_sizes smack_blob_sizes __ro_after_init = {
static const struct lsm_id smack_lsmid = {
.name = "smack",
.id = LSM_ID_SMACK,
+ .flags = LSM_ID_FLG_PROP_SUBJ | LSM_ID_FLG_PROP_OBJ,
};
static struct security_hook_list smack_hooks[] __ro_after_init = {
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index a015cf0c4a00..0a030cbdf424 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -547,6 +547,7 @@ static void tomoyo_task_free(struct task_struct *task)
static const struct lsm_id tomoyo_lsmid = {
.name = "tomoyo",
.id = LSM_ID_TOMOYO,
+ .flags = LSM_ID_FLG_NONE,
};
/* tomoyo_hooks is used for registering TOMOYO. */
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index 38b21ee0c560..e4a6cf663177 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -419,6 +419,7 @@ static int yama_ptrace_traceme(struct task_struct *parent)
static const struct lsm_id yama_lsmid = {
.name = "yama",
.id = LSM_ID_YAMA,
+ .flags = LSM_ID_FLG_NONE,
};
static struct security_hook_list yama_hooks[] __ro_after_init = {
--
2.49.0
