On Tue, May 13, 2025 at 12:39 PM Casey Schaufler <ca...@schaufler-ca.com> wrote:
> On 4/9/2025 11:50 AM, Paul Moore wrote:
> > Add two new variables, lsm_count_prop_subj and lsm_count_prop_obj, to
> > count the number of lsm_prop entries for subjects and objects across all
> > of the enabled LSMs. Future patches will use this to continue the
> > conversion towards the lsm_prop struct.
> >
> > Signed-off-by: Paul Moore <p...@paul-moore.com>
> > ---
> > include/linux/lsm_hooks.h | 6 ++++++
> > security/apparmor/lsm.c | 1 +
> > security/bpf/hooks.c | 1 +
> > security/commoncap.c | 1 +
> > security/integrity/evm/evm_main.c | 1 +
> > security/integrity/ima/ima_main.c | 1 +
> > security/ipe/ipe.c | 1 +
> > security/landlock/setup.c | 1 +
> > security/loadpin/loadpin.c | 1 +
> > security/lockdown/lockdown.c | 1 +
> > security/lsm.h | 4 ++++
> > security/lsm_init.c | 6 ++++++
> > security/safesetid/lsm.c | 1 +
> > security/security.c | 3 +++
> > security/selinux/hooks.c | 1 +
> > security/smack/smack_lsm.c | 1 +
> > security/tomoyo/tomoyo.c | 1 +
> > security/yama/yama_lsm.c | 1 +
> > 18 files changed, 33 insertions(+)
...
> > diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c
> > index 40efde233f3a..c72df6ff69f7 100644
> > --- a/security/bpf/hooks.c
> > +++ b/security/bpf/hooks.c
> > @@ -18,6 +18,7 @@ static struct security_hook_list bpf_lsm_hooks[]
> > __ro_after_init = {
> > static const struct lsm_id bpf_lsmid = {
> > .name = "bpf",
> > .id = LSM_ID_BPF,
> > + .flags = LSM_ID_FLG_PROP_SUBJ | LSM_ID_FLG_PROP_OBJ,
>
> There's a problem here. BPF can have properties, but usually does not.
> Unless there's a bpf program loaded that provides them it is incorrect
> to use these flags. You can't know that at initialization.
>
> I have an alternative that will address this that I will propose
> shortly.
Okay, thanks.
--
paul-moore.com
