6 files changed, 65 insertions, 4 deletions

diff --git a/security/dummy.c b/security/dummy.c
index 1ac9f8e66aa2..d797a4196b89 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -1017,7 +1017,9 @@ static inline void dummy_audit_rule_free(void *lsmrule)
 
 #endif /* CONFIG_AUDIT */
 
-struct security_operations dummy_security_ops;
+struct security_operations dummy_security_ops = {
+        .name = "dummy",
+};
 
 #define set_to_dummy_if_null(ops, function)                             \
         do {                                                            \
diff --git a/security/security.c b/security/security.c
index 2ef593ec70f3..dd0c6baed494 100644
--- a/security/security.c
+++ b/security/security.c
@@ -17,6 +17,8 @@
 #include <linux/kernel.h>
 #include <linux/security.h>
 
+/* Boot-time LSM user choice */
+static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1];
 
 /* things that live in dummy.c */
 extern struct security_operations dummy_security_ops;
@@ -67,13 +69,47 @@ int __init security_init(void)
         return 0;
 }
 
+/* Save user chosen LSM */
+static int __init choose_lsm(char *str)
+{
+        strncpy(chosen_lsm, str, SECURITY_NAME_MAX);
+        return 1;
+}
+__setup("security=", choose_lsm);
+
+/**
+ * security_module_enable - Load given security module on boot ?
+ * @ops: a pointer to the struct security_operations that is to be checked.
+ *
+ * Each LSM must pass this method before registering its own operations
+ * to avoid security registration races. This method may also be used
+ * to check if your LSM is currently loaded.
+ *
+ * Return true if:
+ *      -The passed LSM is the one chosen by user at boot time,
+ *      -or user didsn't specify a specific LSM and we're the first to ask
+ *       for registeration permissoin,
+ *      -or the passed LSM is currently loaded.
+ * Otherwise, return false.
+ */
+int __init security_module_enable(struct security_operations *ops)
+{
+        if (!*chosen_lsm)
+                strncpy(chosen_lsm, ops->name, SECURITY_NAME_MAX);
+        else if (strncmp(ops->name, chosen_lsm, SECURITY_NAME_MAX))
+                return 0;
+
+        return 1;
+}
+
 /**
  * register_security - registers a security framework with the kernel
  * @ops: a pointer to the struct security_options that is to be registered
  *
  * This function is to allow a security module to register itself with the
  * kernel security subsystem.  Some rudimentary checking is done on the @ops
- * value passed to this function.
+ * value passed to this function. You'll need to check first if your LSM
+ * is allowed to register its @ops by calling security_module_enable(@ops).
  *
  * If there is already a security module registered with the kernel,
  * an error will be returned.  Otherwise 0 is returned on success.
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a2f7e9cf78c5..f9927f02bc3d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5295,6 +5295,8 @@ static int selinux_key_permission(key_ref_t key_ref,
 #endif
 
 static struct security_operations selinux_ops = {
+        .name =                         "selinux",
+
         .ptrace =                       selinux_ptrace,
         .capget =                       selinux_capget,
         .capset_check =                 selinux_capset_check,
@@ -5492,6 +5494,11 @@ static __init int selinux_init(void)
 {
         struct task_security_struct *tsec;
 
+        if (!security_module_enable(&selinux_ops)) {
+                selinux_enabled = 0;
+                return 0;
+        }
+
         if (!selinux_enabled) {
                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
                 return 0;
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 62c1e982849d..4a4477f5afdc 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -15,6 +15,7 @@
 
 #include <linux/capability.h>
 #include <linux/spinlock.h>
+#include <linux/security.h>
 #include <net/netlabel.h>
 
 /*
@@ -187,6 +188,7 @@ extern struct smack_known smack_known_star;
 extern struct smack_known smack_known_unset;
 
 extern struct smk_list_entry *smack_list;
+extern struct security_operations smack_ops;
 
 /*
  * Stricly for CIPSO level manipulation.
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 732ba27923c4..904bdc01a12b 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2424,7 +2424,9 @@ static void smack_release_secctx(char *secdata, u32 seclen)
 {
 }
 
-static struct security_operations smack_ops = {
+struct security_operations smack_ops = {
+        .name =                         "smack",
+
         .ptrace =                       smack_ptrace,
         .capget =                       cap_capget,
         .capset_check =                 cap_capset_check,
@@ -2557,6 +2559,9 @@ static struct security_operations smack_ops = {
  */
 static __init int smack_init(void)
 {
+        if (!security_module_enable(&smack_ops))
+                return 0;
+
         printk(KERN_INFO "Smack:  Initializing.\n");
 
         /*
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index cfae8afcc262..6ba283783b70 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -965,12 +965,21 @@ static struct vfsmount *smackfs_mount;
  *
  * register the smackfs
  *
- * Returns 0 unless the registration fails.
+ * Do not register smackfs if Smack wasn't enabled
+ * on boot. We can not put this method normally under the
+ * smack_init() code path since the security subsystem get
+ * initialized before the vfs caches.
+ *
+ * Returns true if we were not chosen on boot or if
+ * we were chosen and filesystem registration succeeded.
  */
 static int __init init_smk_fs(void)
 {
         int err;
 
+        if (!security_module_enable(&smack_ops))
+                return 0;
+
         err = register_filesystem(&smk_fs_type);
         if (!err) {
                 smackfs_mount = kern_mount(&smk_fs_type);