Rename append_ordered_lsm() to lsm_order_append() to better match
convention and do some rework. The rework includes moving the
LSM_FLAG_EXCLUSIVE logic from lsm_prepare() to lsm_order_append()
in order to consolidate the individual LSM append/activation code,
and adding logic to skip appending explicitly disabled LSMs to the
active LSM list.
Signed-off-by: Paul Moore <p...@paul-moore.com>
---
security/lsm_init.c | 76 +++++++++++++++++++++++++--------------------
1 file changed, 43 insertions(+), 33 deletions(-)
diff --git a/security/lsm_init.c b/security/lsm_init.c
index 01825da2755f..8c632ab77da9 100644
--- a/security/lsm_init.c
+++ b/security/lsm_init.c
@@ -124,24 +124,48 @@ static bool __init lsm_order_exists(struct lsm_info *lsm)
return false;
}
-/* Append an LSM to the list of ordered LSMs to initialize. */
-static int last_lsm __initdata;
-static void __init append_ordered_lsm(struct lsm_info *lsm, const char *from)
+/**
+ * lsm_order_append - Append a LSM to the ordered list
+ * @lsm: LSM definition
+ * @src: source of the addition
+ *
+ * Append @lsm to the enabled LSM array after ensuring that it hasn't been
+ * explicitly disabled, is a duplicate entry, or would run afoul of the
+ * LSM_FLAG_EXCLUSIVE logic.
+ */
+static void __init lsm_order_append(struct lsm_info *lsm, const char *src)
{
/* Ignore duplicate selections. */
if (lsm_order_exists(lsm))
return;
- if (WARN(last_lsm == MAX_LSM_COUNT, "%s: out of LSM static calls!?\n",
from))
- return;
+ /* Skip explicitly disabled LSMs. */
+ if (lsm->enabled && !lsm_is_enabled(lsm))
+ goto out;
- /* Enable this LSM, if it is not already set. */
- if (!lsm->enabled)
- lsm->enabled = &lsm_enabled_true;
- lsm_order[last_lsm] = lsm;
- lsm_idlist[last_lsm++] = lsm->id;
+ if (WARN(lsm_active_cnt == MAX_LSM_COUNT,
+ "%s: out of LSM static calls!?\n", src)) {
+ lsm_enabled_set(lsm, false);
+ goto out;
+ }
- init_debug("%s ordered: %s (%s)\n", from, lsm->id->name,
+ if (lsm->flags & LSM_FLAG_EXCLUSIVE) {
+ if (lsm_exclusive) {
+ init_debug("exclusive disabled: %s\n", lsm->id->name);
+ lsm_enabled_set(lsm, false);
+ goto out;
+ } else {
+ init_debug("exclusive chosen: %s\n", lsm->id->name);
+ lsm_exclusive = lsm;
+ }
+ }
+
+ lsm_enabled_set(lsm, true);
+ lsm_order[lsm_active_cnt] = lsm;
+ lsm_idlist[lsm_active_cnt++] = lsm->id;
+
+out:
+ init_debug("%s ordered: %s (%s)\n", src, lsm->id->name,
lsm_is_enabled(lsm) ? "enabled" : "disabled");
}
@@ -163,26 +187,12 @@ static void __init lsm_set_blob_size(int *need, int *lbs)
*/
static void __init lsm_prepare(struct lsm_info *lsm)
{
- struct lsm_blob_sizes *blobs;
+ struct lsm_blob_sizes *blobs = lsm->blobs;
- if (!lsm_is_enabled(lsm)) {
- lsm_enabled_set(lsm, false);
+ if (!blobs)
return;
- } else if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && lsm_exclusive) {
- init_debug("exclusive disabled: %s\n", lsm->id->name);
- lsm_enabled_set(lsm, false);
- return;
- }
-
- /* Mark the LSM as enabled. */
- lsm_enabled_set(lsm, true);
- if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && !lsm_exclusive) {
- init_debug("exclusive chosen: %s\n", lsm->id->name);
- lsm_exclusive = lsm;
- }
/* Register the LSM blob sizes. */
- blobs = lsm->blobs;
lsm_set_blob_size(&blobs->lbs_cred, &blob_sizes.lbs_cred);
lsm_set_blob_size(&blobs->lbs_file, &blob_sizes.lbs_file);
lsm_set_blob_size(&blobs->lbs_ib, &blob_sizes.lbs_ib);
@@ -224,7 +234,7 @@ static void __init ordered_lsm_parse(const char *order,
const char *origin)
/* LSM_ORDER_FIRST is always first. */
lsm_for_each_raw(lsm) {
if (lsm->order == LSM_ORDER_FIRST)
- append_ordered_lsm(lsm, " first");
+ lsm_order_append(lsm, " first");
}
/* Process "security=", if given. */
@@ -256,7 +266,7 @@ static void __init ordered_lsm_parse(const char *order,
const char *origin)
lsm_for_each_raw(lsm) {
if (strcmp(lsm->id->name, name) == 0) {
if (lsm->order == LSM_ORDER_MUTABLE)
- append_ordered_lsm(lsm, origin);
+ lsm_order_append(lsm, origin);
found = true;
}
}
@@ -272,14 +282,14 @@ static void __init ordered_lsm_parse(const char *order,
const char *origin)
if (lsm_order_exists(lsm))
continue;
if (strcmp(lsm->id->name, lsm_order_legacy) == 0)
- append_ordered_lsm(lsm, "security=");
+ lsm_order_append(lsm, "security=");
}
}
/* LSM_ORDER_LAST is always last. */
lsm_for_each_raw(lsm) {
if (lsm->order == LSM_ORDER_LAST)
- append_ordered_lsm(lsm, " last");
+ lsm_order_append(lsm, " last");
}
/* Disable all LSMs not in the ordered list. */
@@ -409,8 +419,8 @@ int __init early_security_init(void)
struct lsm_info *lsm;
lsm_early_for_each_raw(lsm) {
- if (!lsm->enabled)
- lsm->enabled = &lsm_enabled_true;
+ lsm_enabled_set(lsm, true);
+ lsm_order_append(lsm, "early");
lsm_prepare(lsm);
initialize_lsm(lsm);
}
--
2.50.1
