LSM: Tie enabling logic to presence in ordered list

Until now, any LSM without an enable storage variable was considered
enabled. This inverts the logic and sets defaults to true only if the
LSM gets added to the ordered initialization list. (And an exception
continues for the major LSMs until they are integrated into the ordered
initialization in a later patch.)

Signed-off-by: Kees Cook <keescook@chromium.org>

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index be1581d18e3ec508927f71ca44c2e9e1fee2e32c..e28a3aa639e8cb1bf6cc715c50b07d566f6ecc28 100644 (file)
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -2047,7 +2047,7 @@ extern void security_add_hooks(struct security_hook_list *hooks, int count,
 struct lsm_info {
        const char *name;       /* Required. */
        unsigned long flags;    /* Optional: flags describing LSM */
-       int *enabled;           /* Optional: NULL means enabled. */
+       int *enabled;           /* Optional: controlled by CONFIG_LSM */
        int (*init)(void);      /* Required. */
 };
 

diff --git a/security/security.c b/security/security.c
index 2e1f48e8a6f2bf6e56bc7b43e18a4f3eff9706d7..b6d3456978a4a18893aa8e59ea1b16daa95b2ae0 100644 (file)
--- a/security/security.c
+++ b/security/security.c
@@ -63,10 +63,10 @@ static __initdata bool debug;
 
 static bool __init is_enabled(struct lsm_info *lsm)
 {
-       if (!lsm->enabled || *lsm->enabled)
-               return true;
+       if (!lsm->enabled)
+               return false;
 
-       return false;
+       return *lsm->enabled;
 }
 
 /* Mark an LSM's enabled flag. */
@@ -117,7 +117,11 @@ static void __init append_ordered_lsm(struct lsm_info *lsm, const char *from)
        if (WARN(last_lsm == LSM_COUNT, "%s: out of LSM slots!?\n", from))
                return;
 
+       /* Enable this LSM, if it is not already set. */
+       if (!lsm->enabled)
+               lsm->enabled = &lsm_enabled_true;
        ordered_lsms[last_lsm++] = lsm;
+
        init_debug("%s ordering: %s (%sabled)\n", from, lsm->name,
                   is_enabled(lsm) ? "en" : "dis");
 }
@@ -210,6 +214,10 @@ static void __init major_lsm_init(void)
                if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) == 0)
                        continue;
 
+               /* Enable this LSM, if it is not already set. */
+               if (!lsm->enabled)
+                       lsm->enabled = &lsm_enabled_true;
+
                maybe_initialize_lsm(lsm);
        }
 }