From 98d291708cbaab06efec195d0810a7ef60f7603a Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Wed, 10 Oct 2018 17:18:17 -0700 Subject: LSM: Correctly announce start of LSM initialization For a while now, the LSM core has said it was "initializED", rather than "initializING". This adjust the report to be more accurate (i.e. before this was reported before any LSMs had been initialized.) Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: James Morris Reviewed-by: John Johansen Signed-off-by: James Morris --- security/security.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'security/security.c') diff --git a/security/security.c b/security/security.c index 736e78da1ab9..4cbcf244a965 100644 --- a/security/security.c +++ b/security/security.c @@ -72,10 +72,11 @@ int __init security_init(void) int i; struct hlist_head *list = (struct hlist_head *) &security_hook_heads; + pr_info("Security Framework initializing\n"); + for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct hlist_head); i++) INIT_HLIST_HEAD(&list[i]); - pr_info("Security Framework initialized\n"); /* * Load minor LSMs, with the capability module always first. -- cgit v1.2.3-59-g8ed1b From b048ae6e6c7062809e4398f4d0bfe80870715d3c Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Wed, 10 Oct 2018 17:18:19 -0700 Subject: LSM: Rename .security_initcall section to .lsm_info In preparation for switching from initcall to just a regular set of pointers in a section, rename the internal section name. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: James Morris Reviewed-by: John Johansen Signed-off-by: James Morris --- include/asm-generic/vmlinux.lds.h | 10 +++++----- include/linux/init.h | 4 ++-- security/security.c | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) (limited to 'security/security.c') diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h index 934a45395547..5079a969e612 100644 --- a/include/asm-generic/vmlinux.lds.h +++ b/include/asm-generic/vmlinux.lds.h @@ -787,14 +787,14 @@ __con_initcall_end = .; #define SECURITY_INITCALL \ - __security_initcall_start = .; \ - KEEP(*(.security_initcall.init)) \ - __security_initcall_end = .; + __start_lsm_info = .; \ + KEEP(*(.lsm_info.init)) \ + __end_lsm_info = .; /* Older linker script style for security init. */ #define SECURITY_INIT \ - .security_initcall.init : AT(ADDR(.security_initcall.init) - LOAD_OFFSET) { \ - SECURITY_INITCALL \ + .lsm_info.init : AT(ADDR(.lsm_info.init) - LOAD_OFFSET) { \ + LSM_INFO \ } #ifdef CONFIG_BLK_DEV_INITRD diff --git a/include/linux/init.h b/include/linux/init.h index 2538d176dd1f..77636539e77c 100644 --- a/include/linux/init.h +++ b/include/linux/init.h @@ -133,7 +133,7 @@ static inline initcall_t initcall_from_entry(initcall_entry_t *entry) #endif extern initcall_entry_t __con_initcall_start[], __con_initcall_end[]; -extern initcall_entry_t __security_initcall_start[], __security_initcall_end[]; +extern initcall_entry_t __start_lsm_info[], __end_lsm_info[]; /* Used for contructor calls. */ typedef void (*ctor_fn_t)(void); @@ -236,7 +236,7 @@ extern bool initcall_debug; static exitcall_t __exitcall_##fn __exit_call = fn #define console_initcall(fn) ___define_initcall(fn,, .con_initcall) -#define security_initcall(fn) ___define_initcall(fn,, .security_initcall) +#define security_initcall(fn) ___define_initcall(fn,, .lsm_info) struct obs_kernel_param { const char *str; diff --git a/security/security.c b/security/security.c index 4cbcf244a965..892fe6b691cf 100644 --- a/security/security.c +++ b/security/security.c @@ -51,9 +51,9 @@ static void __init do_security_initcalls(void) initcall_t call; initcall_entry_t *ce; - ce = __security_initcall_start; + ce = __start_lsm_info; trace_initcall_level("security"); - while (ce < __security_initcall_end) { + while (ce < __end_lsm_info) { call = initcall_from_entry(ce); trace_initcall_start(call); ret = call(); -- cgit v1.2.3-59-g8ed1b From 6907e3746fa1b9b685230098266bbeba99b93c7d Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Wed, 10 Oct 2018 17:18:20 -0700 Subject: LSM: Remove initcall tracing This partially reverts commit 58eacfffc417 ("init, tracing: instrument security and console initcall trace events") since security init calls are about to no longer resemble regular init calls. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: James Morris Signed-off-by: James Morris --- security/security.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) (limited to 'security/security.c') diff --git a/security/security.c b/security/security.c index 892fe6b691cf..41a5da2c7faf 100644 --- a/security/security.c +++ b/security/security.c @@ -30,8 +30,6 @@ #include #include -#include - #define MAX_LSM_EVM_XATTR 2 /* Maximum number of letters for an LSM name string */ @@ -47,17 +45,13 @@ static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = static void __init do_security_initcalls(void) { - int ret; initcall_t call; initcall_entry_t *ce; ce = __start_lsm_info; - trace_initcall_level("security"); while (ce < __end_lsm_info) { call = initcall_from_entry(ce); - trace_initcall_start(call); - ret = call(); - trace_initcall_finish(call, ret); + call(); ce++; } } -- cgit v1.2.3-59-g8ed1b From 5b89c1bd4c7e5c5ca8c5374fde35ecee6e16496c Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Wed, 10 Oct 2018 17:18:21 -0700 Subject: LSM: Convert from initcall to struct lsm_info In preparation for doing more interesting LSM init probing, this converts the existing initcall system into an explicit call into a function pointer from a section-collected struct lsm_info array. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: James Morris Reviewed-by: John Johansen Signed-off-by: James Morris --- include/linux/init.h | 2 -- include/linux/lsm_hooks.h | 12 ++++++++++++ include/linux/module.h | 1 - security/integrity/iint.c | 1 + security/security.c | 14 +++++--------- 5 files changed, 18 insertions(+), 12 deletions(-) (limited to 'security/security.c') diff --git a/include/linux/init.h b/include/linux/init.h index 77636539e77c..9c2aba1dbabf 100644 --- a/include/linux/init.h +++ b/include/linux/init.h @@ -133,7 +133,6 @@ static inline initcall_t initcall_from_entry(initcall_entry_t *entry) #endif extern initcall_entry_t __con_initcall_start[], __con_initcall_end[]; -extern initcall_entry_t __start_lsm_info[], __end_lsm_info[]; /* Used for contructor calls. */ typedef void (*ctor_fn_t)(void); @@ -236,7 +235,6 @@ extern bool initcall_debug; static exitcall_t __exitcall_##fn __exit_call = fn #define console_initcall(fn) ___define_initcall(fn,, .con_initcall) -#define security_initcall(fn) ___define_initcall(fn,, .lsm_info) struct obs_kernel_param { const char *str; diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 97a020c616ad..d13059feca09 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2039,6 +2039,18 @@ extern char *lsm_names; extern void security_add_hooks(struct security_hook_list *hooks, int count, char *lsm); +struct lsm_info { + int (*init)(void); /* Required. */ +}; + +extern struct lsm_info __start_lsm_info[], __end_lsm_info[]; + +#define security_initcall(lsm) \ + static struct lsm_info __lsm_##lsm \ + __used __section(.lsm_info.init) \ + __aligned(sizeof(unsigned long)) \ + = { .init = lsm, } + #ifdef CONFIG_SECURITY_SELINUX_DISABLE /* * Assuring the safety of deleting a security module is up to diff --git a/include/linux/module.h b/include/linux/module.h index f807f15bebbe..264979283756 100644 --- a/include/linux/module.h +++ b/include/linux/module.h @@ -123,7 +123,6 @@ extern void cleanup_module(void); #define late_initcall_sync(fn) module_init(fn) #define console_initcall(fn) module_init(fn) -#define security_initcall(fn) module_init(fn) /* Each module must use one module_init(). */ #define module_init(initfn) \ diff --git a/security/integrity/iint.c b/security/integrity/iint.c index 5a6810041e5c..70d21b566955 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -22,6 +22,7 @@ #include #include #include +#include #include "integrity.h" static struct rb_root integrity_iint_tree = RB_ROOT; diff --git a/security/security.c b/security/security.c index 41a5da2c7faf..e74f46fba591 100644 --- a/security/security.c +++ b/security/security.c @@ -43,16 +43,12 @@ char *lsm_names; static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = CONFIG_DEFAULT_SECURITY; -static void __init do_security_initcalls(void) +static void __init major_lsm_init(void) { - initcall_t call; - initcall_entry_t *ce; + struct lsm_info *lsm; - ce = __start_lsm_info; - while (ce < __end_lsm_info) { - call = initcall_from_entry(ce); - call(); - ce++; + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + lsm->init(); } } @@ -82,7 +78,7 @@ int __init security_init(void) /* * Load all the remaining security modules. */ - do_security_initcalls(); + major_lsm_init(); return 0; } -- cgit v1.2.3-59-g8ed1b From 9b8c7c14059af801637a818882159145c370d6f1 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Wed, 10 Oct 2018 17:18:25 -0700 Subject: LSM: Provide init debugging infrastructure Booting with "lsm.debug" will report future details on how LSM ordering decisions are being made. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: John Johansen Reviewed-by: James Morris Signed-off-by: James Morris --- Documentation/admin-guide/kernel-parameters.txt | 2 ++ security/security.c | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+) (limited to 'security/security.c') diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 9871e649ffef..32d323ee9218 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2274,6 +2274,8 @@ ltpc= [NET] Format: ,, + lsm.debug [SECURITY] Enable LSM initialization debugging output. + machvec= [IA-64] Force the use of a particular machine-vector (machvec) in a generic kernel. Example: machvec=hpzx1_swiotlb diff --git a/security/security.c b/security/security.c index e74f46fba591..395f804f6a91 100644 --- a/security/security.c +++ b/security/security.c @@ -12,6 +12,8 @@ * (at your option) any later version. */ +#define pr_fmt(fmt) "LSM: " fmt + #include #include #include @@ -43,11 +45,19 @@ char *lsm_names; static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = CONFIG_DEFAULT_SECURITY; +static __initdata bool debug; +#define init_debug(...) \ + do { \ + if (debug) \ + pr_info(__VA_ARGS__); \ + } while (0) + static void __init major_lsm_init(void) { struct lsm_info *lsm; for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + init_debug("initializing %s\n", lsm->name); lsm->init(); } } @@ -91,6 +101,14 @@ static int __init choose_lsm(char *str) } __setup("security=", choose_lsm); +/* Enable LSM order debugging. */ +static int __init enable_debug(char *str) +{ + debug = true; + return 1; +} +__setup("lsm.debug", enable_debug); + static bool match_last_lsm(const char *list, const char *lsm) { const char *last; -- cgit v1.2.3-59-g8ed1b From 3f6caaf5ff33073ca1a3a0b82edacab3c57c38f9 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Wed, 10 Oct 2018 17:18:26 -0700 Subject: LSM: Don't ignore initialization failures LSM initialization failures have traditionally been ignored. We should at least WARN when something goes wrong. Signed-off-by: Kees Cook Reviewed-by: Casey Schaufler Reviewed-by: John Johansen Signed-off-by: James Morris --- security/security.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'security/security.c') diff --git a/security/security.c b/security/security.c index 395f804f6a91..2055af907eba 100644 --- a/security/security.c +++ b/security/security.c @@ -55,10 +55,12 @@ static __initdata bool debug; static void __init major_lsm_init(void) { struct lsm_info *lsm; + int ret; for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { init_debug("initializing %s\n", lsm->name); - lsm->init(); + ret = lsm->init(); + WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); } } -- cgit v1.2.3-59-g8ed1b