[RFC PATCH 15/15] LSM: Remove exclusive LSM flag

Sat, 21 Jun 2025 10:24:54 -0700 

Only SELinux specifies LSM_FLAG_EXCLUSIVE, so there is no point in
enforcing it. There is no expectation that new exclusive security
modules will be accepted, as the reasons for exclusivity have been
addressed. The LSM_FLAG_EXCLUSIVE flag and its enforcement can be
removed.

Signed-off-by: Casey Schaufler <ca...@schaufler-ca.com>
---
 include/linux/lsm_hooks.h |  1 -
 security/lsm_init.c       | 17 +----------------
 security/selinux/hooks.c  |  2 +-
 3 files changed, 2 insertions(+), 18 deletions(-)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 06e840fd4b63..717541fcd653 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -149,7 +149,6 @@ extern void security_add_hooks(struct security_hook_list 
*hooks, int count,
                               const struct lsm_id *lsmid);
 
 #define LSM_FLAG_LEGACY_MAJOR  BIT(0)
-#define LSM_FLAG_EXCLUSIVE     BIT(1)
 
 enum lsm_order {
        LSM_ORDER_FIRST = -1,   /* This is only for capabilities. */
diff --git a/security/lsm_init.c b/security/lsm_init.c
index 784f8296966f..3d8f59104d8f 100644
--- a/security/lsm_init.c
+++ b/security/lsm_init.c
@@ -28,7 +28,6 @@ static __initdata const char *lsm_order_cmdline;
 static __initdata const char *lsm_order_legacy;
 
 /* Ordered list of LSMs to initialize. */
-static __initdata struct lsm_info *lsm_exclusive;
 static __initdata struct lsm_info *lsm_order[MAX_LSM_COUNT + 1];
 
 #define lsm_order_for_each(iter)                                       \
@@ -150,8 +149,7 @@ static bool __init lsm_order_exists(struct lsm_info *lsm)
  * @src: source of the addition
  *
  * Append @lsm to the enabled LSM array after ensuring that it hasn't been
- * explicitly disabled, is a duplicate entry, or would run afoul of the
- * LSM_FLAG_EXCLUSIVE logic.
+ * explicitly disabled or is a duplicate entry.
  */
 static void __init lsm_order_append(struct lsm_info *lsm, const char *src)
 {
@@ -173,19 +171,6 @@ static void __init lsm_order_append(struct lsm_info *lsm, 
const char *src)
                return;
        }
 
-       if (lsm->flags & LSM_FLAG_EXCLUSIVE) {
-               if (lsm_exclusive) {
-                       lsm_pr_dbg("skip exclusive LSM conflict %s:%s\n",
-                                  src, lsm->id->name);
-                       lsm_enabled_set(lsm, false);
-                       return;
-               } else {
-                       lsm_pr_dbg("select exclusive LSM %s:%s\n",
-                                  src, lsm->id->name);
-                       lsm_exclusive = lsm;
-               }
-       }
-
        lsm_enabled_set(lsm, true);
        lsm_order[lsm_count] = lsm;
        lsm_idlist[lsm_count++] = lsm->id;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 9578b63bbd2a..039d03be91f0 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -7675,7 +7675,7 @@ void selinux_complete_init(void)
    all processes and objects when they are created. */
 DEFINE_LSM(selinux) = {
        .id = &selinux_lsmid,
-       .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
+       .flags = LSM_FLAG_LEGACY_MAJOR,
        .enabled = &selinux_enabled_boot,
        .blobs = &selinux_blob_sizes,
        .init = selinux_init,
-- 
2.47.0

Reply via email to