[RFC PATCH 5/9] Loadpol LSM: add a sysctl to lock the policy

Wed, 21 May 2025 07:02:59 -0700 

Once the policy is properly configurd, users may want to lock that
policy to ensure no future change can be applied to it.

Add a sysctl that can be toggled to lock the policy.

Signed-off-by: Simon THOBY <g...@nightmared.fr>
---
 security/loadpol/loadpol_fs.c | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/security/loadpol/loadpol_fs.c b/security/loadpol/loadpol_fs.c
index 9134d11718a0..1fec94de9f40 100644
--- a/security/loadpol/loadpol_fs.c
+++ b/security/loadpol/loadpol_fs.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 
 #include "linux/array_size.h"
+#include <linux/sysctl.h>
 #include <linux/security.h>
 
 #include "loadpol.h"
@@ -8,8 +9,22 @@
 static struct dentry *securityfs_dir;
 static struct dentry *securityfs_policy;
 
+static bool policy_locked;
 static DEFINE_MUTEX(policy_write_mutex);
 
+static const struct ctl_table sysctls[] = {
+       {
+               .procname       = "locked",
+               .data           = &policy_locked,
+               .maxlen         = sizeof(int),
+               .mode           = 0644,
+               /* only allow a transition from 0 (not locked) to 1 (locked) */
+               .proc_handler   = proc_dointvec_minmax,
+               .extra1         = SYSCTL_ONE,
+               .extra2         = SYSCTL_ONE,
+       },
+};
+
 static const struct seq_operations loadpol_policy_seqops = {
        .start = loadpol_policy_start,
        .next = loadpol_policy_next,
@@ -33,6 +48,13 @@ static ssize_t loadpol_write_policy(struct file *file, const 
char __user *buf,
        char *data;
        ssize_t ret;
 
+       /* Once the policy is locked, modifications are blocked */
+       if (policy_locked) {
+               pr_warn("Loadpol is locked, the policy cannot be modified");
+               ret = -EPERM;
+               goto out;
+       }
+
        /*
         * arbitrary size limit (to prevent a DoS but still allow loading a 
policy with a few
         * thousands of entries)
@@ -81,8 +103,15 @@ static const struct file_operations loadpol_policy_ops = {
 
 static int __init loadpol_init_fs(void)
 {
+       struct ctl_table_header *sysctl_hdr = NULL;
        int ret;
 
+       sysctl_hdr = register_sysctl_sz("security/" LOADPOL_NAME, sysctls, 
ARRAY_SIZE(sysctls));
+       if (IS_ERR(sysctl_hdr)) {
+               ret = PTR_ERR(sysctl_hdr);
+               goto err;
+       }
+
        securityfs_dir = securityfs_create_dir(LOADPOL_NAME, NULL);
        if (IS_ERR(securityfs_dir)) {
                ret = PTR_ERR(securityfs_dir);
@@ -99,6 +128,8 @@ static int __init loadpol_init_fs(void)
 
        return 0;
 err:
+       if (!IS_ERR(sysctl_hdr))
+               unregister_sysctl_table(sysctl_hdr);
        securityfs_remove(securityfs_policy);
        securityfs_remove(securityfs_dir);
        return ret;
-- 
2.49.0

Reply via email to