LSM: Add /sys/kernel/security/lsm
I am still tired of having to find indirect ways to determine what security modules are active on a system. I have added /sys/kernel/security/lsm, which contains a comma separated list of the active security modules. No more groping around in /proc/filesystems or other clever hacks. Unchanged from previous versions except for being updated to the latest security next branch. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: John Johansen <john.johansen@canonical.com> Acked-by: Paul Moore <paul@paul-moore.com> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.l.morris@oracle.com>
This commit is contained in:
Casey Schaufler
committed by
James Morris
James Morris
parent
3ccb76c5df
commit
d69dece5f5
@ -32,6 +32,7 @@
|
||||
/* Maximum number of letters for an LSM name string */
|
||||
#define SECURITY_NAME_MAX 10
|
||||
|
||||
char *lsm_names;
|
||||
/* Boot-time LSM user choice */
|
||||
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
|
||||
CONFIG_DEFAULT_SECURITY;
|
||||
@ -78,6 +79,22 @@ static int __init choose_lsm(char *str)
|
||||
}
|
||||
__setup("security=", choose_lsm);
|
||||
|
||||
static int lsm_append(char *new, char **result)
|
||||
{
|
||||
char *cp;
|
||||
|
||||
if (*result == NULL) {
|
||||
*result = kstrdup(new, GFP_KERNEL);
|
||||
} else {
|
||||
cp = kasprintf(GFP_KERNEL, "%s,%s", *result, new);
|
||||
if (cp == NULL)
|
||||
return -ENOMEM;
|
||||
kfree(*result);
|
||||
*result = cp;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* security_module_enable - Load given security module on boot ?
|
||||
* @module: the name of the module
|
||||
@ -97,6 +114,27 @@ int __init security_module_enable(const char *module)
|
||||
return !strcmp(module, chosen_lsm);
|
||||
}
|
||||
|
||||
/**
|
||||
* security_add_hooks - Add a modules hooks to the hook lists.
|
||||
* @hooks: the hooks to add
|
||||
* @count: the number of hooks to add
|
||||
* @lsm: the name of the security module
|
||||
*
|
||||
* Each LSM has to register its hooks with the infrastructure.
|
||||
*/
|
||||
void __init security_add_hooks(struct security_hook_list *hooks, int count,
|
||||
char *lsm)
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i = 0; i < count; i++) {
|
||||
hooks[i].lsm = lsm;
|
||||
list_add_tail_rcu(&hooks[i].list, hooks[i].head);
|
||||
}
|
||||
if (lsm_append(lsm, &lsm_names) < 0)
|
||||
panic("%s - Cannot get early memory.\n", __func__);
|
||||
}
|
||||
|
||||
/*
|
||||
* Hook list operation macros.
|
||||
*
|
||||
|
||||
Reference in New Issue
Block a user