167a4b6a8SPaul Moore // SPDX-License-Identifier: GPL-2.0-or-later 267a4b6a8SPaul Moore /* 367a4b6a8SPaul Moore * LSM initialization functions 467a4b6a8SPaul Moore */ 567a4b6a8SPaul Moore 667a4b6a8SPaul Moore #define pr_fmt(fmt) "LSM: " fmt 767a4b6a8SPaul Moore 867a4b6a8SPaul Moore #include <linux/init.h> 967a4b6a8SPaul Moore #include <linux/lsm_hooks.h> 1067a4b6a8SPaul Moore 1167a4b6a8SPaul Moore #include "lsm.h" 1267a4b6a8SPaul Moore 132d671726SPaul Moore /* LSM enabled constants. */ 142d671726SPaul Moore static __initdata int lsm_enabled_true = 1; 152d671726SPaul Moore static __initdata int lsm_enabled_false = 0; 162d671726SPaul Moore 1767a4b6a8SPaul Moore /* Pointers to LSM sections defined in include/asm-generic/vmlinux.lds.h */ 1867a4b6a8SPaul Moore extern struct lsm_info __start_lsm_info[], __end_lsm_info[]; 1967a4b6a8SPaul Moore extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[]; 2067a4b6a8SPaul Moore 2145a41d13SPaul Moore /* Number of "early" LSMs */ 2245a41d13SPaul Moore static __initdata unsigned int lsm_count_early; 2345a41d13SPaul Moore 24592b104fSPaul Moore /* Build and boot-time LSM ordering. */ 25592b104fSPaul Moore static __initconst const char *const lsm_order_builtin = CONFIG_LSM; 26592b104fSPaul Moore static __initdata const char *lsm_order_cmdline; 27592b104fSPaul Moore static __initdata const char *lsm_order_legacy; 2867a4b6a8SPaul Moore 2967a4b6a8SPaul Moore /* Ordered list of LSMs to initialize. */ 30592b104fSPaul Moore static __initdata struct lsm_info *lsm_order[MAX_LSM_COUNT + 1]; 31592b104fSPaul Moore static __initdata struct lsm_info *lsm_exclusive; 3267a4b6a8SPaul Moore 3337f788f6SPaul Moore #define lsm_order_for_each(iter) \ 34592b104fSPaul Moore for ((iter) = lsm_order; *(iter); (iter)++) 3537f788f6SPaul Moore #define lsm_for_each_raw(iter) \ 3637f788f6SPaul Moore for ((iter) = __start_lsm_info; \ 3737f788f6SPaul Moore (iter) < __end_lsm_info; (iter)++) 3837f788f6SPaul Moore #define lsm_early_for_each_raw(iter) \ 3937f788f6SPaul Moore for ((iter) = __start_early_lsm_info; \ 4037f788f6SPaul Moore (iter) < __end_early_lsm_info; (iter)++) 4137f788f6SPaul Moore 42592b104fSPaul Moore /** 43592b104fSPaul Moore * lsm_choose_security - Legacy "major" LSM selection 44592b104fSPaul Moore * @str: kernel command line parameter 45592b104fSPaul Moore */ 46592b104fSPaul Moore static int __init lsm_choose_security(char *str) 4767a4b6a8SPaul Moore { 48592b104fSPaul Moore lsm_order_legacy = str; 4967a4b6a8SPaul Moore return 1; 5067a4b6a8SPaul Moore } 51592b104fSPaul Moore __setup("security=", lsm_choose_security); 5267a4b6a8SPaul Moore 53592b104fSPaul Moore /** 54592b104fSPaul Moore * lsm_choose_lsm - Modern LSM selection 55592b104fSPaul Moore * @str: kernel command line parameter 56592b104fSPaul Moore */ 57592b104fSPaul Moore static int __init lsm_choose_lsm(char *str) 5867a4b6a8SPaul Moore { 59592b104fSPaul Moore lsm_order_cmdline = str; 6067a4b6a8SPaul Moore return 1; 6167a4b6a8SPaul Moore } 62592b104fSPaul Moore __setup("lsm=", lsm_choose_lsm); 6367a4b6a8SPaul Moore 64592b104fSPaul Moore /** 65592b104fSPaul Moore * lsm_debug_enable - Enable LSM framework debugging 66592b104fSPaul Moore * @str: kernel command line parameter 67592b104fSPaul Moore * 68592b104fSPaul Moore * Currently we only provide debug info during LSM initialization, but we may 69592b104fSPaul Moore * want to expand this in the future. 70592b104fSPaul Moore */ 71592b104fSPaul Moore static int __init lsm_debug_enable(char *str) 7267a4b6a8SPaul Moore { 735137e583SPaul Moore lsm_debug = true; 7467a4b6a8SPaul Moore return 1; 7567a4b6a8SPaul Moore } 76592b104fSPaul Moore __setup("lsm.debug", lsm_debug_enable); 7767a4b6a8SPaul Moore 782d671726SPaul Moore /** 792d671726SPaul Moore * lsm_enabled_set - Mark a LSM as enabled 802d671726SPaul Moore * @lsm: LSM definition 812d671726SPaul Moore * @enabled: enabled flag 822d671726SPaul Moore */ 832d671726SPaul Moore static void __init lsm_enabled_set(struct lsm_info *lsm, bool enabled) 8467a4b6a8SPaul Moore { 8567a4b6a8SPaul Moore /* 8667a4b6a8SPaul Moore * When an LSM hasn't configured an enable variable, we can use 8767a4b6a8SPaul Moore * a hard-coded location for storing the default enabled state. 8867a4b6a8SPaul Moore */ 892d671726SPaul Moore if (!lsm->enabled || 902d671726SPaul Moore lsm->enabled == &lsm_enabled_true || 912d671726SPaul Moore lsm->enabled == &lsm_enabled_false) { 922d671726SPaul Moore lsm->enabled = enabled ? &lsm_enabled_true : &lsm_enabled_false; 9367a4b6a8SPaul Moore } else { 9467a4b6a8SPaul Moore *lsm->enabled = enabled; 9567a4b6a8SPaul Moore } 9667a4b6a8SPaul Moore } 9767a4b6a8SPaul Moore 982d671726SPaul Moore /** 992d671726SPaul Moore * lsm_is_enabled - Determine if a LSM is enabled 1002d671726SPaul Moore * @lsm: LSM definition 1012d671726SPaul Moore */ 1022d671726SPaul Moore static inline bool lsm_is_enabled(struct lsm_info *lsm) 10367a4b6a8SPaul Moore { 1042d671726SPaul Moore return (lsm->enabled ? *lsm->enabled : false); 10567a4b6a8SPaul Moore } 10667a4b6a8SPaul Moore 107a748372aSPaul Moore /** 108a748372aSPaul Moore * lsm_order_exists - Determine if a LSM exists in the ordered list 109a748372aSPaul Moore * @lsm: LSM definition 110a748372aSPaul Moore */ 111a748372aSPaul Moore static bool __init lsm_order_exists(struct lsm_info *lsm) 11267a4b6a8SPaul Moore { 11367a4b6a8SPaul Moore struct lsm_info **check; 11467a4b6a8SPaul Moore 11537f788f6SPaul Moore lsm_order_for_each(check) { 11667a4b6a8SPaul Moore if (*check == lsm) 11767a4b6a8SPaul Moore return true; 11837f788f6SPaul Moore } 11967a4b6a8SPaul Moore 12067a4b6a8SPaul Moore return false; 12167a4b6a8SPaul Moore } 12267a4b6a8SPaul Moore 12324a9c589SPaul Moore /** 12424a9c589SPaul Moore * lsm_order_append - Append a LSM to the ordered list 12524a9c589SPaul Moore * @lsm: LSM definition 12624a9c589SPaul Moore * @src: source of the addition 12724a9c589SPaul Moore * 12824a9c589SPaul Moore * Append @lsm to the enabled LSM array after ensuring that it hasn't been 12924a9c589SPaul Moore * explicitly disabled, is a duplicate entry, or would run afoul of the 13024a9c589SPaul Moore * LSM_FLAG_EXCLUSIVE logic. 13124a9c589SPaul Moore */ 13224a9c589SPaul Moore static void __init lsm_order_append(struct lsm_info *lsm, const char *src) 13367a4b6a8SPaul Moore { 13467a4b6a8SPaul Moore /* Ignore duplicate selections. */ 135a748372aSPaul Moore if (lsm_order_exists(lsm)) 13667a4b6a8SPaul Moore return; 13767a4b6a8SPaul Moore 13824a9c589SPaul Moore /* Skip explicitly disabled LSMs. */ 1395137e583SPaul Moore if (lsm->enabled && !lsm_is_enabled(lsm)) { 1405137e583SPaul Moore lsm_pr_dbg("skip previously disabled LSM %s:%s\n", 1415137e583SPaul Moore src, lsm->id->name); 1425137e583SPaul Moore return; 1435137e583SPaul Moore } 14467a4b6a8SPaul Moore 1455137e583SPaul Moore if (lsm_active_cnt == MAX_LSM_COUNT) { 1465137e583SPaul Moore pr_warn("exceeded maximum LSM count on %s:%s\n", 1475137e583SPaul Moore src, lsm->id->name); 14824a9c589SPaul Moore lsm_enabled_set(lsm, false); 1495137e583SPaul Moore return; 15024a9c589SPaul Moore } 15167a4b6a8SPaul Moore 15224a9c589SPaul Moore if (lsm->flags & LSM_FLAG_EXCLUSIVE) { 15324a9c589SPaul Moore if (lsm_exclusive) { 1545137e583SPaul Moore lsm_pr_dbg("skip exclusive LSM conflict %s:%s\n", 1555137e583SPaul Moore src, lsm->id->name); 15624a9c589SPaul Moore lsm_enabled_set(lsm, false); 1575137e583SPaul Moore return; 15824a9c589SPaul Moore } else { 1595137e583SPaul Moore lsm_pr_dbg("select exclusive LSM %s:%s\n", 1605137e583SPaul Moore src, lsm->id->name); 16124a9c589SPaul Moore lsm_exclusive = lsm; 16224a9c589SPaul Moore } 16324a9c589SPaul Moore } 16424a9c589SPaul Moore 16524a9c589SPaul Moore lsm_enabled_set(lsm, true); 16624a9c589SPaul Moore lsm_order[lsm_active_cnt] = lsm; 16724a9c589SPaul Moore lsm_idlist[lsm_active_cnt++] = lsm->id; 16824a9c589SPaul Moore 1695137e583SPaul Moore lsm_pr_dbg("enabling LSM %s:%s\n", src, lsm->id->name); 17067a4b6a8SPaul Moore } 17167a4b6a8SPaul Moore 172291271e6SPaul Moore /** 173*3423c639SPaul Moore * lsm_order_parse - Parse the comma delimited LSM list 174*3423c639SPaul Moore * @list: LSM list 175*3423c639SPaul Moore * @src: source of the list 176*3423c639SPaul Moore */ 177*3423c639SPaul Moore static void __init lsm_order_parse(const char *list, const char *src) 178*3423c639SPaul Moore { 179*3423c639SPaul Moore struct lsm_info *lsm; 180*3423c639SPaul Moore char *sep, *name, *next; 181*3423c639SPaul Moore 182*3423c639SPaul Moore /* Handle any Legacy LSM exclusions if one was specified. */ 183*3423c639SPaul Moore if (lsm_order_legacy) { 184*3423c639SPaul Moore /* 185*3423c639SPaul Moore * To match the original "security=" behavior, this explicitly 186*3423c639SPaul Moore * does NOT fallback to another Legacy Major if the selected 187*3423c639SPaul Moore * one was separately disabled: disable all non-matching 188*3423c639SPaul Moore * Legacy Major LSMs. 189*3423c639SPaul Moore */ 190*3423c639SPaul Moore lsm_for_each_raw(lsm) { 191*3423c639SPaul Moore if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) && 192*3423c639SPaul Moore strcmp(lsm->id->name, lsm_order_legacy)) { 193*3423c639SPaul Moore lsm_enabled_set(lsm, false); 194*3423c639SPaul Moore lsm_pr_dbg("skip legacy LSM conflict %s:%s\n", 195*3423c639SPaul Moore src, lsm->id->name); 196*3423c639SPaul Moore } 197*3423c639SPaul Moore } 198*3423c639SPaul Moore } 199*3423c639SPaul Moore 200*3423c639SPaul Moore /* LSM_ORDER_FIRST */ 201*3423c639SPaul Moore lsm_for_each_raw(lsm) { 202*3423c639SPaul Moore if (lsm->order == LSM_ORDER_FIRST) 203*3423c639SPaul Moore lsm_order_append(lsm, "first"); 204*3423c639SPaul Moore } 205*3423c639SPaul Moore 206*3423c639SPaul Moore /* Normal or "mutable" LSMs */ 207*3423c639SPaul Moore sep = kstrdup(list, GFP_KERNEL); 208*3423c639SPaul Moore next = sep; 209*3423c639SPaul Moore /* Walk the list, looking for matching LSMs. */ 210*3423c639SPaul Moore while ((name = strsep(&next, ",")) != NULL) { 211*3423c639SPaul Moore lsm_for_each_raw(lsm) { 212*3423c639SPaul Moore if (!strcmp(lsm->id->name, name) && 213*3423c639SPaul Moore lsm->order == LSM_ORDER_MUTABLE) 214*3423c639SPaul Moore lsm_order_append(lsm, src); 215*3423c639SPaul Moore } 216*3423c639SPaul Moore } 217*3423c639SPaul Moore kfree(sep); 218*3423c639SPaul Moore 219*3423c639SPaul Moore /* Legacy LSM if specified. */ 220*3423c639SPaul Moore if (lsm_order_legacy) { 221*3423c639SPaul Moore lsm_for_each_raw(lsm) { 222*3423c639SPaul Moore if (!strcmp(lsm->id->name, lsm_order_legacy)) 223*3423c639SPaul Moore lsm_order_append(lsm, src); 224*3423c639SPaul Moore } 225*3423c639SPaul Moore } 226*3423c639SPaul Moore 227*3423c639SPaul Moore /* LSM_ORDER_LAST */ 228*3423c639SPaul Moore lsm_for_each_raw(lsm) { 229*3423c639SPaul Moore if (lsm->order == LSM_ORDER_LAST) 230*3423c639SPaul Moore lsm_order_append(lsm, "last"); 231*3423c639SPaul Moore } 232*3423c639SPaul Moore 233*3423c639SPaul Moore /* Disable all LSMs not previously enabled. */ 234*3423c639SPaul Moore lsm_for_each_raw(lsm) { 235*3423c639SPaul Moore if (lsm_order_exists(lsm)) 236*3423c639SPaul Moore continue; 237*3423c639SPaul Moore lsm_enabled_set(lsm, false); 238*3423c639SPaul Moore lsm_pr_dbg("skip disabled LSM %s:%s\n", src, lsm->id->name); 239*3423c639SPaul Moore } 240*3423c639SPaul Moore } 241*3423c639SPaul Moore 242*3423c639SPaul Moore /** 243291271e6SPaul Moore * lsm_blob_size_update - Update the LSM blob size and offset information 244291271e6SPaul Moore * @sz_req: the requested additional blob size 245291271e6SPaul Moore * @sz_cur: the existing blob size 246291271e6SPaul Moore */ 247291271e6SPaul Moore static void __init lsm_blob_size_update(unsigned int *sz_req, 248291271e6SPaul Moore unsigned int *sz_cur) 24967a4b6a8SPaul Moore { 250291271e6SPaul Moore unsigned int offset; 25167a4b6a8SPaul Moore 252291271e6SPaul Moore if (*sz_req == 0) 25367a4b6a8SPaul Moore return; 25467a4b6a8SPaul Moore 255291271e6SPaul Moore offset = ALIGN(*sz_cur, sizeof(void *)); 256291271e6SPaul Moore *sz_cur = offset + *sz_req; 257291271e6SPaul Moore *sz_req = offset; 25867a4b6a8SPaul Moore } 25967a4b6a8SPaul Moore 260e0257856SPaul Moore /** 261e0257856SPaul Moore * lsm_prepare - Prepare the LSM framework for a new LSM 262e0257856SPaul Moore * @lsm: LSM definition 26367a4b6a8SPaul Moore */ 264e0257856SPaul Moore static void __init lsm_prepare(struct lsm_info *lsm) 26567a4b6a8SPaul Moore { 26624a9c589SPaul Moore struct lsm_blob_sizes *blobs = lsm->blobs; 26767a4b6a8SPaul Moore 26824a9c589SPaul Moore if (!blobs) 269e0257856SPaul Moore return; 27067a4b6a8SPaul Moore 271e0257856SPaul Moore /* Register the LSM blob sizes. */ 272291271e6SPaul Moore blobs = lsm->blobs; 273291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_cred, &blob_sizes.lbs_cred); 274291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_file, &blob_sizes.lbs_file); 275291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_ib, &blob_sizes.lbs_ib); 276e0257856SPaul Moore /* inode blob gets an rcu_head in addition to LSM blobs. */ 277e0257856SPaul Moore if (blobs->lbs_inode && blob_sizes.lbs_inode == 0) 278e0257856SPaul Moore blob_sizes.lbs_inode = sizeof(struct rcu_head); 279291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_inode, &blob_sizes.lbs_inode); 280291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_ipc, &blob_sizes.lbs_ipc); 281291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_key, &blob_sizes.lbs_key); 282291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_msg_msg, &blob_sizes.lbs_msg_msg); 283291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_perf_event, 284291271e6SPaul Moore &blob_sizes.lbs_perf_event); 285291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_sock, &blob_sizes.lbs_sock); 286291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_superblock, 287291271e6SPaul Moore &blob_sizes.lbs_superblock); 288291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_task, &blob_sizes.lbs_task); 289291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_tun_dev, &blob_sizes.lbs_tun_dev); 290291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_xattr_count, 291e0257856SPaul Moore &blob_sizes.lbs_xattr_count); 292291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_bdev, &blob_sizes.lbs_bdev); 293291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_bpf_map, &blob_sizes.lbs_bpf_map); 294291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_bpf_prog, &blob_sizes.lbs_bpf_prog); 295291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_bpf_token, &blob_sizes.lbs_bpf_token); 29667a4b6a8SPaul Moore } 29767a4b6a8SPaul Moore 29827be5600SPaul Moore /** 29927be5600SPaul Moore * lsm_init_single - Initialize a given LSM 30027be5600SPaul Moore * @lsm: LSM definition 30127be5600SPaul Moore */ 30227be5600SPaul Moore static void __init lsm_init_single(struct lsm_info *lsm) 30367a4b6a8SPaul Moore { 30467a4b6a8SPaul Moore int ret; 30567a4b6a8SPaul Moore 30627be5600SPaul Moore if (!lsm_is_enabled(lsm)) 30727be5600SPaul Moore return; 30827be5600SPaul Moore 3095137e583SPaul Moore lsm_pr_dbg("initializing %s\n", lsm->id->name); 31067a4b6a8SPaul Moore ret = lsm->init(); 3119f9dc69eSPaul Moore WARN(ret, "%s failed to initialize: %d\n", lsm->id->name, ret); 31267a4b6a8SPaul Moore } 31367a4b6a8SPaul Moore 314752db065SPaul Moore /** 31545070533SPaul Moore * lsm_static_call_init - Initialize a LSM's static calls 31645070533SPaul Moore * @hl: LSM hook list 31745070533SPaul Moore */ 3185137e583SPaul Moore static int __init lsm_static_call_init(struct security_hook_list *hl) 31967a4b6a8SPaul Moore { 32045a41d13SPaul Moore struct lsm_static_call *scall = hl->scalls; 32145a41d13SPaul Moore int i; 32245a41d13SPaul Moore 32345a41d13SPaul Moore for (i = 0; i < MAX_LSM_COUNT; i++) { 32445a41d13SPaul Moore /* Update the first static call that is not used yet */ 32545a41d13SPaul Moore if (!scall->hl) { 32645a41d13SPaul Moore __static_call_update(scall->key, scall->trampoline, 32745a41d13SPaul Moore hl->hook.lsm_func_addr); 32845a41d13SPaul Moore scall->hl = hl; 32945a41d13SPaul Moore static_branch_enable(scall->active); 3305137e583SPaul Moore return 0; 33145a41d13SPaul Moore } 33245a41d13SPaul Moore scall++; 33345a41d13SPaul Moore } 3345137e583SPaul Moore 3355137e583SPaul Moore return -ENOSPC; 33645a41d13SPaul Moore } 33745a41d13SPaul Moore 33845a41d13SPaul Moore /** 33945070533SPaul Moore * security_add_hooks - Add a LSM's hooks to the LSM framework's hook lists 34045070533SPaul Moore * @hooks: LSM hooks to add 34145070533SPaul Moore * @count: number of hooks to add 34245070533SPaul Moore * @lsmid: identification information for the LSM 34345a41d13SPaul Moore * 34445070533SPaul Moore * Each LSM has to register its hooks with the LSM framework. 34545a41d13SPaul Moore */ 34645a41d13SPaul Moore void __init security_add_hooks(struct security_hook_list *hooks, int count, 34745a41d13SPaul Moore const struct lsm_id *lsmid) 34845a41d13SPaul Moore { 34945a41d13SPaul Moore int i; 35045a41d13SPaul Moore 35145a41d13SPaul Moore for (i = 0; i < count; i++) { 35245a41d13SPaul Moore hooks[i].lsmid = lsmid; 3535137e583SPaul Moore if (lsm_static_call_init(&hooks[i])) 3545137e583SPaul Moore panic("exhausted LSM callback slots with LSM %s\n", 3555137e583SPaul Moore lsmid->name); 35645a41d13SPaul Moore } 35745a41d13SPaul Moore } 35845a41d13SPaul Moore 35945070533SPaul Moore /** 36045070533SPaul Moore * early_security_init - Initialize the early LSMs 36145070533SPaul Moore */ 36245a41d13SPaul Moore int __init early_security_init(void) 36345a41d13SPaul Moore { 36445a41d13SPaul Moore struct lsm_info *lsm; 36545a41d13SPaul Moore 366ac3c47ceSPaul Moore /* NOTE: lsm_pr_dbg() doesn't work here as lsm_debug is not yet set */ 367ac3c47ceSPaul Moore 36845a41d13SPaul Moore lsm_early_for_each_raw(lsm) { 36945a41d13SPaul Moore lsm_enabled_set(lsm, true); 37045a41d13SPaul Moore lsm_order_append(lsm, "early"); 37145a41d13SPaul Moore lsm_prepare(lsm); 37245a41d13SPaul Moore lsm_init_single(lsm); 37345a41d13SPaul Moore lsm_count_early++; 37445a41d13SPaul Moore } 37545a41d13SPaul Moore 37645a41d13SPaul Moore return 0; 37745a41d13SPaul Moore } 37845a41d13SPaul Moore 37945a41d13SPaul Moore /** 38045a41d13SPaul Moore * security_init - Initializes the LSM framework 38145a41d13SPaul Moore * 38245a41d13SPaul Moore * This should be called early in the kernel initialization sequence. 38345a41d13SPaul Moore */ 38445a41d13SPaul Moore int __init security_init(void) 38545a41d13SPaul Moore { 38645a41d13SPaul Moore unsigned int cnt; 38767a4b6a8SPaul Moore struct lsm_info **lsm; 38845a41d13SPaul Moore 3895137e583SPaul Moore if (lsm_debug) { 390ac3c47ceSPaul Moore struct lsm_info *i; 391ac3c47ceSPaul Moore 392ac3c47ceSPaul Moore cnt = 0; 393ac3c47ceSPaul Moore lsm_pr("available LSMs: "); 394ac3c47ceSPaul Moore lsm_early_for_each_raw(i) 395ac3c47ceSPaul Moore lsm_pr_cont("%s%s(E)", (cnt++ ? "," : ""), i->id->name); 396ac3c47ceSPaul Moore lsm_for_each_raw(i) 397ac3c47ceSPaul Moore lsm_pr_cont("%s%s", (cnt++ ? "," : ""), i->id->name); 398ac3c47ceSPaul Moore lsm_pr_cont("\n"); 399ac3c47ceSPaul Moore 400ac3c47ceSPaul Moore lsm_pr("built-in LSM config: %s\n", lsm_order_builtin); 401ac3c47ceSPaul Moore 4025137e583SPaul Moore lsm_pr("legacy LSM parameter: %s\n", lsm_order_legacy); 4035137e583SPaul Moore lsm_pr("boot LSM parameter: %s\n", lsm_order_cmdline); 404ac3c47ceSPaul Moore 405ac3c47ceSPaul Moore /* see the note about lsm_pr_dbg() in early_security_init() */ 406ac3c47ceSPaul Moore lsm_early_for_each_raw(i) 407ac3c47ceSPaul Moore lsm_pr("enabled LSM early:%s\n", i->id->name); 4085137e583SPaul Moore } 40967a4b6a8SPaul Moore 410592b104fSPaul Moore if (lsm_order_cmdline) { 4115137e583SPaul Moore if (lsm_order_legacy) 412592b104fSPaul Moore lsm_order_legacy = NULL; 413752db065SPaul Moore lsm_order_parse(lsm_order_cmdline, "cmdline"); 41467a4b6a8SPaul Moore } else 415752db065SPaul Moore lsm_order_parse(lsm_order_builtin, "builtin"); 41667a4b6a8SPaul Moore 41745a41d13SPaul Moore lsm_order_for_each(lsm) 418e0257856SPaul Moore lsm_prepare(*lsm); 41967a4b6a8SPaul Moore 4205137e583SPaul Moore if (lsm_debug) { 4215137e583SPaul Moore lsm_pr("blob(cred) size %d\n", blob_sizes.lbs_cred); 4225137e583SPaul Moore lsm_pr("blob(file) size %d\n", blob_sizes.lbs_file); 4235137e583SPaul Moore lsm_pr("blob(ib) size %d\n", blob_sizes.lbs_ib); 4245137e583SPaul Moore lsm_pr("blob(inode) size %d\n", blob_sizes.lbs_inode); 4255137e583SPaul Moore lsm_pr("blob(ipc) size %d\n", blob_sizes.lbs_ipc); 4265137e583SPaul Moore lsm_pr("blob(key) size %d\n", blob_sizes.lbs_key); 4275137e583SPaul Moore lsm_pr("blob(msg_msg)_size %d\n", blob_sizes.lbs_msg_msg); 4285137e583SPaul Moore lsm_pr("blob(sock) size %d\n", blob_sizes.lbs_sock); 4295137e583SPaul Moore lsm_pr("blob(superblock) size %d\n", blob_sizes.lbs_superblock); 4305137e583SPaul Moore lsm_pr("blob(perf_event) size %d\n", blob_sizes.lbs_perf_event); 4315137e583SPaul Moore lsm_pr("blob(task) size %d\n", blob_sizes.lbs_task); 4325137e583SPaul Moore lsm_pr("blob(tun_dev) size %d\n", blob_sizes.lbs_tun_dev); 4335137e583SPaul Moore lsm_pr("blob(xattr) count %d\n", blob_sizes.lbs_xattr_count); 4345137e583SPaul Moore lsm_pr("blob(bdev) size %d\n", blob_sizes.lbs_bdev); 4355137e583SPaul Moore lsm_pr("blob(bpf_map) size %d\n", blob_sizes.lbs_bpf_map); 4365137e583SPaul Moore lsm_pr("blob(bpf_prog) size %d\n", blob_sizes.lbs_bpf_prog); 4375137e583SPaul Moore lsm_pr("blob(bpf_token) size %d\n", blob_sizes.lbs_bpf_token); 438cb1513dbSPaul Moore } 43967a4b6a8SPaul Moore 44067a4b6a8SPaul Moore if (blob_sizes.lbs_file) 44167a4b6a8SPaul Moore lsm_file_cache = kmem_cache_create("lsm_file_cache", 44267a4b6a8SPaul Moore blob_sizes.lbs_file, 0, 44367a4b6a8SPaul Moore SLAB_PANIC, NULL); 44467a4b6a8SPaul Moore if (blob_sizes.lbs_inode) 44567a4b6a8SPaul Moore lsm_inode_cache = kmem_cache_create("lsm_inode_cache", 44667a4b6a8SPaul Moore blob_sizes.lbs_inode, 0, 44767a4b6a8SPaul Moore SLAB_PANIC, NULL); 44867a4b6a8SPaul Moore 44992ed3500SPaul Moore if (lsm_cred_alloc((struct cred __rcu *)current->cred, GFP_KERNEL)) 4505137e583SPaul Moore panic("early LSM cred alloc failed\n"); 45192ed3500SPaul Moore if (lsm_task_alloc(current)) 4525137e583SPaul Moore panic("early LSM task alloc failed\n"); 45392ed3500SPaul Moore 45445a41d13SPaul Moore cnt = 0; 45537f788f6SPaul Moore lsm_order_for_each(lsm) { 45645a41d13SPaul Moore /* skip the "early" LSMs as they have already been setup */ 45745a41d13SPaul Moore if (cnt++ < lsm_count_early) 45845a41d13SPaul Moore continue; 45927be5600SPaul Moore lsm_init_single(*lsm); 46067a4b6a8SPaul Moore } 46167a4b6a8SPaul Moore 46267a4b6a8SPaul Moore return 0; 46367a4b6a8SPaul Moore } 464