LSM: Introduce enum lsm_order

In preparation for distinguishing the "capability" LSM from other LSMs, it
must be ordered first. This introduces LSM_ORDER_MUTABLE for the general
LSMs and LSM_ORDER_FIRST for capability. In the future LSM_ORDER_LAST
for could be added for anything that must run last (e.g. Landlock may
use this).

Signed-off-by: Kees Cook <keescook@chromium.org>

1 files changed, 8 insertions, 1 deletions

diff --git a/security/security.c b/security/security.c
index 35f93b7c585b..8b673bb2a0dd 100644
--- a/security/security.c
+++ b/security/security.c
@@ -174,6 +174,12 @@ static void __init ordered_lsm_parse(const char *order, const char *origin)
         struct lsm_info *lsm;
         char *sep, *name, *next;
 
+        /* LSM_ORDER_FIRST is always first. */
+        for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
+                if (lsm->order == LSM_ORDER_FIRST)
+                        append_ordered_lsm(lsm, "first");
+        }
+
         /* Process "security=", if given. */
         if (chosen_major_lsm) {
                 struct lsm_info *major;
@@ -202,7 +208,8 @@ static void __init ordered_lsm_parse(const char *order, const char *origin)
                 bool found = false;
 
                 for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
-                        if (strcmp(lsm->name, name) == 0) {
+                        if (lsm->order == LSM_ORDER_MUTABLE &&
+                            strcmp(lsm->name, name) == 0) {
                                 append_ordered_lsm(lsm, origin);
                                 found = true;
                         }