LoadPin: Initialize as ordered LSM (70b62c25) · Commits · EulixOS / Software / Kernel

include/linux/lsm_hooks.h

+0 −5

Original line number	Diff line number	Diff line
		@@ -2095,10 +2095,5 @@ extern void __init yama_add_hooks(void);
		#else
		static inline void __init yama_add_hooks(void) { }
		#endif
		#ifdef CONFIG_SECURITY_LOADPIN
		void __init loadpin_add_hooks(void);
		#else
		static inline void loadpin_add_hooks(void) { };
		#endif

		#endif /* ! __LINUX_LSM_HOOKS_H */

+1 −38

Original line number	Diff line number	Diff line
		@@ -239,46 +239,9 @@ source "security/yama/Kconfig"

		source "security/integrity/Kconfig"

		choice
		prompt "Default security module"
		default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
		default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
		default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
		default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
		default DEFAULT_SECURITY_DAC

		help
		Select the security module that will be used by default if the
		kernel parameter security= is not specified.

		config DEFAULT_SECURITY_SELINUX
		bool "SELinux" if SECURITY_SELINUX=y

		config DEFAULT_SECURITY_SMACK
		bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y

		config DEFAULT_SECURITY_TOMOYO
		bool "TOMOYO" if SECURITY_TOMOYO=y

		config DEFAULT_SECURITY_APPARMOR
		bool "AppArmor" if SECURITY_APPARMOR=y

		config DEFAULT_SECURITY_DAC
		bool "Unix Discretionary Access Controls"

		endchoice

		config DEFAULT_SECURITY
		string
		default "selinux" if DEFAULT_SECURITY_SELINUX
		default "smack" if DEFAULT_SECURITY_SMACK
		default "tomoyo" if DEFAULT_SECURITY_TOMOYO
		default "apparmor" if DEFAULT_SECURITY_APPARMOR
		default "" if DEFAULT_SECURITY_DAC

		config LSM
		string "Ordered list of enabled LSMs"
		default "integrity"
		default "loadpin,integrity,selinux,smack,tomoyo,apparmor"
		help
		A comma-separated list of LSMs, in initialization order.
		Any LSMs left off this list will be ignored. This can be

+7 −1

Original line number	Diff line number	Diff line
		@@ -187,13 +187,19 @@ static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = {
		LSM_HOOK_INIT(kernel_load_data, loadpin_load_data),
		};

		void __init loadpin_add_hooks(void)
		static int __init loadpin_init(void)
		{
		pr_info("ready to pin (currently %senforcing)\n",
		enforce ? "" : "not ");
		security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin");
		return 0;
		}

		DEFINE_LSM(loadpin) = {
		.name = "loadpin",
		.init = loadpin_init,
		};

		/* Should not be mutable after boot, so not listed in sysfs (perm == 0). */
		module_param(enforce, int, 0);
		MODULE_PARM_DESC(enforce, "Enforce module/firmware pinning");

+0 −1