aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/linux/lsm_hooks.h6
-rw-r--r--security/security.c9
2 files changed, 14 insertions, 1 deletions
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 2849e9b2c01d..27d4db9588bb 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -2045,8 +2045,14 @@ extern void security_add_hooks(struct security_hook_list *hooks, int count,
2045#define LSM_FLAG_LEGACY_MAJOR BIT(0) 2045#define LSM_FLAG_LEGACY_MAJOR BIT(0)
2046#define LSM_FLAG_EXCLUSIVE BIT(1) 2046#define LSM_FLAG_EXCLUSIVE BIT(1)
2047 2047
2048enum lsm_order {
2049 LSM_ORDER_FIRST = -1, /* This is only for capabilities. */
2050 LSM_ORDER_MUTABLE = 0,
2051};
2052
2048struct lsm_info { 2053struct lsm_info {
2049 const char *name; /* Required. */ 2054 const char *name; /* Required. */
2055 enum lsm_order order; /* Optional: default is LSM_ORDER_MUTABLE */
2050 unsigned long flags; /* Optional: flags describing LSM */ 2056 unsigned long flags; /* Optional: flags describing LSM */
2051 int *enabled; /* Optional: controlled by CONFIG_LSM */ 2057 int *enabled; /* Optional: controlled by CONFIG_LSM */
2052 int (*init)(void); /* Required. */ 2058 int (*init)(void); /* Required. */
diff --git a/security/security.c b/security/security.c
index 35f93b7c585b..8b673bb2a0dd 100644
--- a/security/security.c
+++ b/security/security.c
@@ -174,6 +174,12 @@ static void __init ordered_lsm_parse(const char *order, const char *origin)
174 struct lsm_info *lsm; 174 struct lsm_info *lsm;
175 char *sep, *name, *next; 175 char *sep, *name, *next;
176 176
177 /* LSM_ORDER_FIRST is always first. */
178 for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
179 if (lsm->order == LSM_ORDER_FIRST)
180 append_ordered_lsm(lsm, "first");
181 }
182
177 /* Process "security=", if given. */ 183 /* Process "security=", if given. */
178 if (chosen_major_lsm) { 184 if (chosen_major_lsm) {
179 struct lsm_info *major; 185 struct lsm_info *major;
@@ -202,7 +208,8 @@ static void __init ordered_lsm_parse(const char *order, const char *origin)
202 bool found = false; 208 bool found = false;
203 209
204 for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { 210 for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
205 if (strcmp(lsm->name, name) == 0) { 211 if (lsm->order == LSM_ORDER_MUTABLE &&
212 strcmp(lsm->name, name) == 0) {
206 append_ordered_lsm(lsm, origin); 213 append_ordered_lsm(lsm, origin);
207 found = true; 214 found = true;
208 } 215 }
generated by cgit v1.2.2 (git 2.25.0) at 2025-10-17 08:16:06 -0400