Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem updates from James Morris: "In this patchset, there are a couple of minor updates, as well as some reworking of the LSM initialization code from Kees Cook (these prepare the way for ordered stackable LSMs, but are a valuable cleanup on their own)" * 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: LSM: Don't ignore initialization failures LSM: Provide init debugging infrastructure LSM: Record LSM name in struct lsm_info LSM: Convert security_initcall() into DEFINE_LSM() vmlinux.lds.h: Move LSM_TABLE into INIT_DATA LSM: Convert from initcall to struct lsm_info LSM: Remove initcall tracing LSM: Rename .security_initcall section to .lsm_info vmlinux.lds.h: Avoid copy/paste of security_init section LSM: Correctly announce start of LSM initialization security: fix LSM description location keys: Fix the use of the C++ keyword "private" in uapi/linux/keyctl.h seccomp: remove unnecessary unlikely() security: tomoyo: Fix obsolete function security/capabilities: remove check for -EINVAL
author: Linus Torvalds <torvalds@linux-foundation.org> 2018-10-24 06:49:35 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2018-10-24 06:49:35 -0400
commit: 638820d8da8ededd6dc609beaef02d5396599c03 (patch)
tree: 7b0076c6e4ea30935f1d9a1af90f7c57d4b9a99f /security/security.c
parent: d5e4d81da4d443d54b0b5c28ba6d26be297c509b (diff)
parent: 3f6caaf5ff33073ca1a3a0b82edacab3c57c38f9 (diff)
1 files changed, 27 insertions, 16 deletions
diff --git a/security/security.c b/security/security.c
index 0d504fceda8b..04d173eb93f6 100644
--- a/security/security.c
+++ b/security/security.c
@@ -12,6 +12,8 @@
 *      (at your option) any later version.
 */
+#define pr_fmt(fmt) "LSM: " fmt
 #include <linux/bpf.h>
 #include <linux/capability.h>
 #include <linux/dcache.h>
@@ -30,8 +32,6 @@
 #include <linux/string.h>
 #include <net/flow.h>
-#include <trace/events/initcall.h>
 #define MAX_LSM_EVM_XATTR       2
 /* Maximum number of letters for an LSM name string */
@@ -45,20 +45,22 @@ char *lsm_names;
 static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
        CONFIG_DEFAULT_SECURITY;
-static void __init do_security_initcalls(void)
+static __initdata bool debug;
+#define init_debug(...)                                         \
+        do {                                                    \
+                if (debug)                                      \
+                        pr_info(__VA_ARGS__);                   \
+        } while (0)
+static void __init major_lsm_init(void)
 {
+        struct lsm_info *lsm;
        int ret;
-        initcall_t call;
-        initcall_entry_t *ce;
+        for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
+                init_debug("initializing %s\n", lsm->name);
-        ce = __security_initcall_start;
+                ret = lsm->init();
-        trace_initcall_level("security");
+                WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret);
-        while (ce < __security_initcall_end) {
-                call = initcall_from_entry(ce);
-                trace_initcall_start(call);
-                ret = call();
-                trace_initcall_finish(call, ret);
-                ce++;
        }
 }
@@ -72,10 +74,11 @@ int __init security_init(void)
        int i;
        struct hlist_head *list = (struct hlist_head *) &security_hook_heads;
+        pr_info("Security Framework initializing\n");
        for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct hlist_head);
             i++)
                INIT_HLIST_HEAD(&list[i]);
-        pr_info("Security Framework initialized\n");
        /*
         * Load minor LSMs, with the capability module always first.
@@ -87,7 +90,7 @@ int __init security_init(void)
        /*
         * Load all the remaining security modules.
         */
-        do_security_initcalls();
+        major_lsm_init();
        return 0;
 }
@@ -100,6 +103,14 @@ static int __init choose_lsm(char *str)
 }
 __setup("security=", choose_lsm);
+/* Enable LSM order debugging. */
+static int __init enable_debug(char *str)
+{
+        debug = true;
+        return 1;
+}
+__setup("lsm.debug", enable_debug);
 static bool match_last_lsm(const char *list, const char *lsm)
 {
        const char *last;
author	Linus Torvalds <torvalds@linux-foundation.org>	2018-10-24 06:49:35 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2018-10-24 06:49:35 -0400
commit	638820d8da8ededd6dc609beaef02d5396599c03 (patch)
tree	7b0076c6e4ea30935f1d9a1af90f7c57d4b9a99f /security/security.c
parent	d5e4d81da4d443d54b0b5c28ba6d26be297c509b (diff)
parent	3f6caaf5ff33073ca1a3a0b82edacab3c57c38f9 (diff)

diff --git a/security/security.c b/security/security.c index 0d504fceda8b..04d173eb93f6 100644 --- a/security/security.c +++ b/security/security.c
@@ -12,6 +12,8 @@
12	* (at your option) any later version.	12	* (at your option) any later version.
13	*/	13	*/
14		14
		15	#define pr_fmt(fmt) "LSM: " fmt
		16
15	#include <linux/bpf.h>	17	#include <linux/bpf.h>
16	#include <linux/capability.h>	18	#include <linux/capability.h>
17	#include <linux/dcache.h>	19	#include <linux/dcache.h>
@@ -30,8 +32,6 @@
30	#include <linux/string.h>	32	#include <linux/string.h>
31	#include <net/flow.h>	33	#include <net/flow.h>
32		34
33	#include <trace/events/initcall.h>
34
35	#define MAX_LSM_EVM_XATTR 2	35	#define MAX_LSM_EVM_XATTR 2
36		36
37	/* Maximum number of letters for an LSM name string */	37	/* Maximum number of letters for an LSM name string */
@@ -45,20 +45,22 @@ char *lsm_names;
45	static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =	45	static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
46	CONFIG_DEFAULT_SECURITY;	46	CONFIG_DEFAULT_SECURITY;
47		47
48	static void __init do_security_initcalls(void)	48	static __initdata bool debug;
		49	#define init_debug(...) \
		50	do { \
		51	if (debug) \
		52	pr_info(__VA_ARGS__); \
		53	} while (0)
		54
		55	static void __init major_lsm_init(void)
49	{	56	{
		57	struct lsm_info *lsm;
50	int ret;	58	int ret;
51	initcall_t call;	59
52	initcall_entry_t *ce;	60	for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
53		61	init_debug("initializing %s\n", lsm->name);
54	ce = __security_initcall_start;	62	ret = lsm->init();
55	trace_initcall_level("security");	63	WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret);
56	while (ce < __security_initcall_end) {
57	call = initcall_from_entry(ce);
58	trace_initcall_start(call);
59	ret = call();
60	trace_initcall_finish(call, ret);
61	ce++;
62	}	64	}
63	}	65	}
64		66
@@ -72,10 +74,11 @@ int __init security_init(void)
72	int i;	74	int i;
73	struct hlist_head list = (struct hlist_head ) &security_hook_heads;	75	struct hlist_head list = (struct hlist_head ) &security_hook_heads;
74		76
		77	pr_info("Security Framework initializing\n");
		78
75	for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct hlist_head);	79	for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct hlist_head);
76	i++)	80	i++)
77	INIT_HLIST_HEAD(&list[i]);	81	INIT_HLIST_HEAD(&list[i]);
78	pr_info("Security Framework initialized\n");
79		82
80	/*	83	/*
81	* Load minor LSMs, with the capability module always first.	84	* Load minor LSMs, with the capability module always first.
@@ -87,7 +90,7 @@ int __init security_init(void)
87	/*	90	/*
88	* Load all the remaining security modules.	91	* Load all the remaining security modules.
89	*/	92	*/
90	do_security_initcalls();	93	major_lsm_init();
91		94
92	return 0;	95	return 0;
93	}	96	}
@@ -100,6 +103,14 @@ static int __init choose_lsm(char *str)
100	}	103	}
101	__setup("security=", choose_lsm);	104	__setup("security=", choose_lsm);
102		105
		106	/* Enable LSM order debugging. */
		107	static int __init enable_debug(char *str)
		108	{
		109	debug = true;
		110	return 1;
		111	}
		112	__setup("lsm.debug", enable_debug);
		113
103	static bool match_last_lsm(const char list, const char lsm)	114	static bool match_last_lsm(const char list, const char lsm)
104	{	115	{
105	const char *last;	116	const char *last;