diff options
| author | Kees Cook <keescook@chromium.org> | 2018-10-10 18:45:22 -0400 |
|---|---|---|
| committer | Kees Cook <keescook@chromium.org> | 2019-01-08 16:18:43 -0500 |
| commit | d8e9bbd4fa7f654bd877a312fc4104c6e5e5c6ca (patch) | |
| tree | d85b1e9410ba9e37a64eb22949f114fc0e87d166 /security/security.c | |
| parent | c91d8106b370593b4d3dcc0b06282bf39478ae13 (diff) | |
LSM: Split LSM preparation from initialization
Since we already have to do a pass through the LSMs to figure out if
exclusive LSMs should be disabled after the first one is seen as enabled,
this splits the logic up a bit more cleanly. Now we do a full "prepare"
pass through the LSMs (which also allows for later use by the blob-sharing
code), before starting the LSM initialization pass.
Signed-off-by: Kees Cook <keescook@chromium.org>
Diffstat (limited to 'security/security.c')
| -rw-r--r-- | security/security.c | 21 |
1 files changed, 15 insertions, 6 deletions
diff --git a/security/security.c b/security/security.c index 2d08a5357bf4..46c5b0fa515e 100644 --- a/security/security.c +++ b/security/security.c | |||
| @@ -139,22 +139,28 @@ static bool __init lsm_allowed(struct lsm_info *lsm) | |||
| 139 | return true; | 139 | return true; |
| 140 | } | 140 | } |
| 141 | 141 | ||
| 142 | /* Check if LSM should be initialized. */ | 142 | /* Prepare LSM for initialization. */ |
| 143 | static void __init maybe_initialize_lsm(struct lsm_info *lsm) | 143 | static void __init prepare_lsm(struct lsm_info *lsm) |
| 144 | { | 144 | { |
| 145 | int enabled = lsm_allowed(lsm); | 145 | int enabled = lsm_allowed(lsm); |
| 146 | 146 | ||
| 147 | /* Record enablement (to handle any following exclusive LSMs). */ | 147 | /* Record enablement (to handle any following exclusive LSMs). */ |
| 148 | set_enabled(lsm, enabled); | 148 | set_enabled(lsm, enabled); |
| 149 | 149 | ||
| 150 | /* If selected, initialize the LSM. */ | 150 | /* If enabled, do pre-initialization work. */ |
| 151 | if (enabled) { | 151 | if (enabled) { |
| 152 | int ret; | ||
| 153 | |||
| 154 | if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && !exclusive) { | 152 | if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && !exclusive) { |
| 155 | exclusive = lsm; | 153 | exclusive = lsm; |
| 156 | init_debug("exclusive chosen: %s\n", lsm->name); | 154 | init_debug("exclusive chosen: %s\n", lsm->name); |
| 157 | } | 155 | } |
| 156 | } | ||
| 157 | } | ||
| 158 | |||
| 159 | /* Initialize a given LSM, if it is enabled. */ | ||
| 160 | static void __init initialize_lsm(struct lsm_info *lsm) | ||
| 161 | { | ||
| 162 | if (is_enabled(lsm)) { | ||
| 163 | int ret; | ||
| 158 | 164 | ||
| 159 | init_debug("initializing %s\n", lsm->name); | 165 | init_debug("initializing %s\n", lsm->name); |
| 160 | ret = lsm->init(); | 166 | ret = lsm->init(); |
| @@ -240,7 +246,10 @@ static void __init ordered_lsm_init(void) | |||
| 240 | ordered_lsm_parse(builtin_lsm_order, "builtin"); | 246 | ordered_lsm_parse(builtin_lsm_order, "builtin"); |
| 241 | 247 | ||
| 242 | for (lsm = ordered_lsms; *lsm; lsm++) | 248 | for (lsm = ordered_lsms; *lsm; lsm++) |
| 243 | maybe_initialize_lsm(*lsm); | 249 | prepare_lsm(*lsm); |
| 250 | |||
| 251 | for (lsm = ordered_lsms; *lsm; lsm++) | ||
| 252 | initialize_lsm(*lsm); | ||
| 244 | 253 | ||
| 245 | kfree(ordered_lsms); | 254 | kfree(ordered_lsms); |
| 246 | } | 255 | } |