LoadPin: Rename boot param "enabled" to "enforce"

LoadPin's "enabled" setting is really about enforcement, not whether or not the LSM is using LSM hooks. Instead, split this out so that LSM enabling can be logically distinct from whether enforcement is happening (for example, the pinning happens when the LSM is enabled, but the pin is only checked when "enforce" is set). This allows LoadPin to continue to operate sanely in test environments once LSM enable/disable is centrally handled (i.e. we want LoadPin to be enabled separately from its enforcement). Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: John Johansen <john.johansen@canonical.com>
author: Kees Cook <keescook@chromium.org> 2018-09-24 17:43:59 -0400
committer: Kees Cook <keescook@chromium.org> 2018-10-18 18:29:44 -0400
commit: 13523bef1e2154b6d02836cd0f6c0ffc89b2eae6 (patch)
tree: eb769876befa1a7c81ed78748d9ccc0d3ec46501
parent: f4b626d6de15149329332796e96709e0c4c84577 (diff)
2 files changed, 13 insertions, 12 deletions
diff --git a/security/loadpin/Kconfig b/security/loadpin/Kconfig
index dd01aa91e521..a0d70d82b98e 100644
--- a/security/loadpin/Kconfig
+++ b/security/loadpin/Kconfig
@@ -10,10 +10,10 @@ config SECURITY_LOADPIN
          have a root filesystem backed by a read-only device such as
          dm-verity or a CDROM.
-config SECURITY_LOADPIN_ENABLED
+config SECURITY_LOADPIN_ENFORCE
        bool "Enforce LoadPin at boot"
        depends on SECURITY_LOADPIN
        help
          If selected, LoadPin will enforce pinning at boot. If not
          selected, it can be enabled at boot with the kernel parameter
-          "loadpin.enabled=1".
+          "loadpin.enforce=1".
diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c
index f062672d6b35..48f39631b370 100644
--- a/security/loadpin/loadpin.c
+++ b/security/loadpin/loadpin.c
@@ -44,7 +44,7 @@ static void report_load(const char *origin, struct file *file, char *operation)
        kfree(pathname);
 }
-static int enabled = IS_ENABLED(CONFIG_SECURITY_LOADPIN_ENABLED);
+static int enforce = IS_ENABLED(CONFIG_SECURITY_LOADPIN_ENFORCE);
 static struct super_block *pinned_root;
 static DEFINE_SPINLOCK(pinned_root_spinlock);
@@ -60,8 +60,8 @@ static struct ctl_path loadpin_sysctl_path[] = {
 static struct ctl_table loadpin_sysctl_table[] = {
        {
-                .procname       = "enabled",
+                .procname       = "enforce",
-                .data           = &enabled,
+                .data           = &enforce,
                .maxlen         = sizeof(int),
                .mode           = 0644,
                .proc_handler   = proc_dointvec_minmax,
@@ -100,7 +100,7 @@ static void check_pinning_enforcement(struct super_block *mnt_sb)
                                           loadpin_sysctl_table))
                        pr_notice("sysctl registration failed!\n");
                else
-                        pr_info("load pinning can be disabled.\n");
+                        pr_info("enforcement can be disabled.\n");
        } else
                pr_info("load pinning engaged.\n");
 }
@@ -131,7 +131,7 @@ static int loadpin_read_file(struct file *file, enum kernel_read_file_id id)
        /* This handles the older init_module API that has a NULL file. */
        if (!file) {
-                if (!enabled) {
+                if (!enforce) {
                        report_load(origin, NULL, "old-api-pinning-ignored");
                        return 0;
                }
@@ -154,7 +154,7 @@ static int loadpin_read_file(struct file *file, enum kernel_read_file_id id)
                 * Unlock now since it's only pinned_root we care about.
                 * In the worst case, we will (correctly) report pinning
                 * failures before we have announced that pinning is
-                 * enabled. This would be purely cosmetic.
+                 * enforcing. This would be purely cosmetic.
                 */
                spin_unlock(&pinned_root_spinlock);
                check_pinning_enforcement(pinned_root);
@@ -164,7 +164,7 @@ static int loadpin_read_file(struct file *file, enum kernel_read_file_id id)
        }
        if (IS_ERR_OR_NULL(pinned_root) || load_root != pinned_root) {
-                if (unlikely(!enabled)) {
+                if (unlikely(!enforce)) {
                        report_load(origin, file, "pinning-ignored");
                        return 0;
                }
@@ -189,10 +189,11 @@ static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = {
 void __init loadpin_add_hooks(void)
 {
-        pr_info("ready to pin (currently %sabled)", enabled ? "en" : "dis");
+        pr_info("ready to pin (currently %senforcing)\n",
+                enforce ? "" : "not ");
        security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin");
 }
 /* Should not be mutable after boot, so not listed in sysfs (perm == 0). */
-module_param(enabled, int, 0);
+module_param(enforce, int, 0);
-MODULE_PARM_DESC(enabled, "Pin module/firmware loading (default: true)");
+MODULE_PARM_DESC(enforce, "Enforce module/firmware pinning");
author	Kees Cook <keescook@chromium.org>	2018-09-24 17:43:59 -0400
committer	Kees Cook <keescook@chromium.org>	2018-10-18 18:29:44 -0400
commit	13523bef1e2154b6d02836cd0f6c0ffc89b2eae6 (patch)
tree	eb769876befa1a7c81ed78748d9ccc0d3ec46501
parent	f4b626d6de15149329332796e96709e0c4c84577 (diff)