LSM: Introduce "lsm=" for boottime LSM selection

Provide a way to explicitly choose LSM initialization order via the new
"lsm=" comma-separated list of LSMs.

Signed-off-by: Kees Cook <keescook@chromium.org>

1 files changed, 13 insertions, 1 deletions

diff --git a/security/security.c b/security/security.c
index 11a42cd313c5..2e1f48e8a6f2 100644
--- a/security/security.c
+++ b/security/security.c
@@ -47,6 +47,7 @@ char *lsm_names;
 /* Boot-time LSM user choice */
 static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
         CONFIG_DEFAULT_SECURITY;
+static __initdata const char *chosen_lsm_order;
 
 static __initconst const char * const builtin_lsm_order = CONFIG_LSM;
 
@@ -190,7 +191,10 @@ static void __init ordered_lsm_init(void)
         ordered_lsms = kcalloc(LSM_COUNT + 1, sizeof(*ordered_lsms),
                                 GFP_KERNEL);
 
-        ordered_lsm_parse(builtin_lsm_order, "builtin");
+        if (chosen_lsm_order)
+                ordered_lsm_parse(chosen_lsm_order, "cmdline");
+        else
+                ordered_lsm_parse(builtin_lsm_order, "builtin");
 
         for (lsm = ordered_lsms; *lsm; lsm++)
                 maybe_initialize_lsm(*lsm);
@@ -252,6 +256,14 @@ static int __init choose_lsm(char *str)
 }
 __setup("security=", choose_lsm);
 
+/* Explicitly choose LSM initialization order. */
+static int __init choose_lsm_order(char *str)
+{
+        chosen_lsm_order = str;
+        return 1;
+}
+__setup("lsm=", choose_lsm_order);
+
 /* Enable LSM order debugging. */
 static int __init enable_debug(char *str)
 {