167a4b6a8SPaul Moore // SPDX-License-Identifier: GPL-2.0-or-later 267a4b6a8SPaul Moore /* 367a4b6a8SPaul Moore * LSM initialization functions 467a4b6a8SPaul Moore */ 567a4b6a8SPaul Moore 667a4b6a8SPaul Moore #define pr_fmt(fmt) "LSM: " fmt 767a4b6a8SPaul Moore 867a4b6a8SPaul Moore #include <linux/init.h> 967a4b6a8SPaul Moore #include <linux/lsm_hooks.h> 1067a4b6a8SPaul Moore 1167a4b6a8SPaul Moore #include "lsm.h" 1267a4b6a8SPaul Moore 132d671726SPaul Moore /* LSM enabled constants. */ 142d671726SPaul Moore static __initdata int lsm_enabled_true = 1; 152d671726SPaul Moore static __initdata int lsm_enabled_false = 0; 162d671726SPaul Moore 1767a4b6a8SPaul Moore /* Pointers to LSM sections defined in include/asm-generic/vmlinux.lds.h */ 1867a4b6a8SPaul Moore extern struct lsm_info __start_lsm_info[], __end_lsm_info[]; 1967a4b6a8SPaul Moore extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[]; 2067a4b6a8SPaul Moore 2145a41d13SPaul Moore /* Number of "early" LSMs */ 2245a41d13SPaul Moore static __initdata unsigned int lsm_count_early; 2345a41d13SPaul Moore 24592b104fSPaul Moore /* Build and boot-time LSM ordering. */ 25592b104fSPaul Moore static __initconst const char *const lsm_order_builtin = CONFIG_LSM; 26592b104fSPaul Moore static __initdata const char *lsm_order_cmdline; 27592b104fSPaul Moore static __initdata const char *lsm_order_legacy; 2867a4b6a8SPaul Moore 2967a4b6a8SPaul Moore /* Ordered list of LSMs to initialize. */ 30592b104fSPaul Moore static __initdata struct lsm_info *lsm_order[MAX_LSM_COUNT + 1]; 31592b104fSPaul Moore static __initdata struct lsm_info *lsm_exclusive; 3267a4b6a8SPaul Moore 3337f788f6SPaul Moore #define lsm_order_for_each(iter) \ 34592b104fSPaul Moore for ((iter) = lsm_order; *(iter); (iter)++) 3537f788f6SPaul Moore #define lsm_for_each_raw(iter) \ 3637f788f6SPaul Moore for ((iter) = __start_lsm_info; \ 3737f788f6SPaul Moore (iter) < __end_lsm_info; (iter)++) 3837f788f6SPaul Moore #define lsm_early_for_each_raw(iter) \ 3937f788f6SPaul Moore for ((iter) = __start_early_lsm_info; \ 4037f788f6SPaul Moore (iter) < __end_early_lsm_info; (iter)++) 4137f788f6SPaul Moore 42592b104fSPaul Moore /** 43592b104fSPaul Moore * lsm_choose_security - Legacy "major" LSM selection 44592b104fSPaul Moore * @str: kernel command line parameter 45592b104fSPaul Moore */ 46592b104fSPaul Moore static int __init lsm_choose_security(char *str) 4767a4b6a8SPaul Moore { 48592b104fSPaul Moore lsm_order_legacy = str; 4967a4b6a8SPaul Moore return 1; 5067a4b6a8SPaul Moore } 51592b104fSPaul Moore __setup("security=", lsm_choose_security); 5267a4b6a8SPaul Moore 53592b104fSPaul Moore /** 54592b104fSPaul Moore * lsm_choose_lsm - Modern LSM selection 55592b104fSPaul Moore * @str: kernel command line parameter 56592b104fSPaul Moore */ 57592b104fSPaul Moore static int __init lsm_choose_lsm(char *str) 5867a4b6a8SPaul Moore { 59592b104fSPaul Moore lsm_order_cmdline = str; 6067a4b6a8SPaul Moore return 1; 6167a4b6a8SPaul Moore } 62592b104fSPaul Moore __setup("lsm=", lsm_choose_lsm); 6367a4b6a8SPaul Moore 64592b104fSPaul Moore /** 65592b104fSPaul Moore * lsm_debug_enable - Enable LSM framework debugging 66592b104fSPaul Moore * @str: kernel command line parameter 67592b104fSPaul Moore * 68592b104fSPaul Moore * Currently we only provide debug info during LSM initialization, but we may 69592b104fSPaul Moore * want to expand this in the future. 70592b104fSPaul Moore */ 71592b104fSPaul Moore static int __init lsm_debug_enable(char *str) 7267a4b6a8SPaul Moore { 73*5137e583SPaul Moore lsm_debug = true; 7467a4b6a8SPaul Moore return 1; 7567a4b6a8SPaul Moore } 76592b104fSPaul Moore __setup("lsm.debug", lsm_debug_enable); 7767a4b6a8SPaul Moore 782d671726SPaul Moore /** 792d671726SPaul Moore * lsm_enabled_set - Mark a LSM as enabled 802d671726SPaul Moore * @lsm: LSM definition 812d671726SPaul Moore * @enabled: enabled flag 822d671726SPaul Moore */ 832d671726SPaul Moore static void __init lsm_enabled_set(struct lsm_info *lsm, bool enabled) 8467a4b6a8SPaul Moore { 8567a4b6a8SPaul Moore /* 8667a4b6a8SPaul Moore * When an LSM hasn't configured an enable variable, we can use 8767a4b6a8SPaul Moore * a hard-coded location for storing the default enabled state. 8867a4b6a8SPaul Moore */ 892d671726SPaul Moore if (!lsm->enabled || 902d671726SPaul Moore lsm->enabled == &lsm_enabled_true || 912d671726SPaul Moore lsm->enabled == &lsm_enabled_false) { 922d671726SPaul Moore lsm->enabled = enabled ? &lsm_enabled_true : &lsm_enabled_false; 9367a4b6a8SPaul Moore } else { 9467a4b6a8SPaul Moore *lsm->enabled = enabled; 9567a4b6a8SPaul Moore } 9667a4b6a8SPaul Moore } 9767a4b6a8SPaul Moore 982d671726SPaul Moore /** 992d671726SPaul Moore * lsm_is_enabled - Determine if a LSM is enabled 1002d671726SPaul Moore * @lsm: LSM definition 1012d671726SPaul Moore */ 1022d671726SPaul Moore static inline bool lsm_is_enabled(struct lsm_info *lsm) 10367a4b6a8SPaul Moore { 1042d671726SPaul Moore return (lsm->enabled ? *lsm->enabled : false); 10567a4b6a8SPaul Moore } 10667a4b6a8SPaul Moore 107a748372aSPaul Moore /** 108a748372aSPaul Moore * lsm_order_exists - Determine if a LSM exists in the ordered list 109a748372aSPaul Moore * @lsm: LSM definition 110a748372aSPaul Moore */ 111a748372aSPaul Moore static bool __init lsm_order_exists(struct lsm_info *lsm) 11267a4b6a8SPaul Moore { 11367a4b6a8SPaul Moore struct lsm_info **check; 11467a4b6a8SPaul Moore 11537f788f6SPaul Moore lsm_order_for_each(check) { 11667a4b6a8SPaul Moore if (*check == lsm) 11767a4b6a8SPaul Moore return true; 11837f788f6SPaul Moore } 11967a4b6a8SPaul Moore 12067a4b6a8SPaul Moore return false; 12167a4b6a8SPaul Moore } 12267a4b6a8SPaul Moore 12324a9c589SPaul Moore /** 12424a9c589SPaul Moore * lsm_order_append - Append a LSM to the ordered list 12524a9c589SPaul Moore * @lsm: LSM definition 12624a9c589SPaul Moore * @src: source of the addition 12724a9c589SPaul Moore * 12824a9c589SPaul Moore * Append @lsm to the enabled LSM array after ensuring that it hasn't been 12924a9c589SPaul Moore * explicitly disabled, is a duplicate entry, or would run afoul of the 13024a9c589SPaul Moore * LSM_FLAG_EXCLUSIVE logic. 13124a9c589SPaul Moore */ 13224a9c589SPaul Moore static void __init lsm_order_append(struct lsm_info *lsm, const char *src) 13367a4b6a8SPaul Moore { 13467a4b6a8SPaul Moore /* Ignore duplicate selections. */ 135a748372aSPaul Moore if (lsm_order_exists(lsm)) 13667a4b6a8SPaul Moore return; 13767a4b6a8SPaul Moore 13824a9c589SPaul Moore /* Skip explicitly disabled LSMs. */ 139*5137e583SPaul Moore if (lsm->enabled && !lsm_is_enabled(lsm)) { 140*5137e583SPaul Moore lsm_pr_dbg("skip previously disabled LSM %s:%s\n", 141*5137e583SPaul Moore src, lsm->id->name); 142*5137e583SPaul Moore return; 143*5137e583SPaul Moore } 14467a4b6a8SPaul Moore 145*5137e583SPaul Moore if (lsm_active_cnt == MAX_LSM_COUNT) { 146*5137e583SPaul Moore pr_warn("exceeded maximum LSM count on %s:%s\n", 147*5137e583SPaul Moore src, lsm->id->name); 14824a9c589SPaul Moore lsm_enabled_set(lsm, false); 149*5137e583SPaul Moore return; 15024a9c589SPaul Moore } 15167a4b6a8SPaul Moore 15224a9c589SPaul Moore if (lsm->flags & LSM_FLAG_EXCLUSIVE) { 15324a9c589SPaul Moore if (lsm_exclusive) { 154*5137e583SPaul Moore lsm_pr_dbg("skip exclusive LSM conflict %s:%s\n", 155*5137e583SPaul Moore src, lsm->id->name); 15624a9c589SPaul Moore lsm_enabled_set(lsm, false); 157*5137e583SPaul Moore return; 15824a9c589SPaul Moore } else { 159*5137e583SPaul Moore lsm_pr_dbg("select exclusive LSM %s:%s\n", 160*5137e583SPaul Moore src, lsm->id->name); 16124a9c589SPaul Moore lsm_exclusive = lsm; 16224a9c589SPaul Moore } 16324a9c589SPaul Moore } 16424a9c589SPaul Moore 16524a9c589SPaul Moore lsm_enabled_set(lsm, true); 16624a9c589SPaul Moore lsm_order[lsm_active_cnt] = lsm; 16724a9c589SPaul Moore lsm_idlist[lsm_active_cnt++] = lsm->id; 16824a9c589SPaul Moore 169*5137e583SPaul Moore lsm_pr_dbg("enabling LSM %s:%s\n", src, lsm->id->name); 17067a4b6a8SPaul Moore } 17167a4b6a8SPaul Moore 172291271e6SPaul Moore /** 173291271e6SPaul Moore * lsm_blob_size_update - Update the LSM blob size and offset information 174291271e6SPaul Moore * @sz_req: the requested additional blob size 175291271e6SPaul Moore * @sz_cur: the existing blob size 176291271e6SPaul Moore */ 177291271e6SPaul Moore static void __init lsm_blob_size_update(unsigned int *sz_req, 178291271e6SPaul Moore unsigned int *sz_cur) 17967a4b6a8SPaul Moore { 180291271e6SPaul Moore unsigned int offset; 18167a4b6a8SPaul Moore 182291271e6SPaul Moore if (*sz_req == 0) 18367a4b6a8SPaul Moore return; 18467a4b6a8SPaul Moore 185291271e6SPaul Moore offset = ALIGN(*sz_cur, sizeof(void *)); 186291271e6SPaul Moore *sz_cur = offset + *sz_req; 187291271e6SPaul Moore *sz_req = offset; 18867a4b6a8SPaul Moore } 18967a4b6a8SPaul Moore 190e0257856SPaul Moore /** 191e0257856SPaul Moore * lsm_prepare - Prepare the LSM framework for a new LSM 192e0257856SPaul Moore * @lsm: LSM definition 19367a4b6a8SPaul Moore */ 194e0257856SPaul Moore static void __init lsm_prepare(struct lsm_info *lsm) 19567a4b6a8SPaul Moore { 19624a9c589SPaul Moore struct lsm_blob_sizes *blobs = lsm->blobs; 19767a4b6a8SPaul Moore 19824a9c589SPaul Moore if (!blobs) 199e0257856SPaul Moore return; 20067a4b6a8SPaul Moore 201e0257856SPaul Moore /* Register the LSM blob sizes. */ 202291271e6SPaul Moore blobs = lsm->blobs; 203291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_cred, &blob_sizes.lbs_cred); 204291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_file, &blob_sizes.lbs_file); 205291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_ib, &blob_sizes.lbs_ib); 206e0257856SPaul Moore /* inode blob gets an rcu_head in addition to LSM blobs. */ 207e0257856SPaul Moore if (blobs->lbs_inode && blob_sizes.lbs_inode == 0) 208e0257856SPaul Moore blob_sizes.lbs_inode = sizeof(struct rcu_head); 209291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_inode, &blob_sizes.lbs_inode); 210291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_ipc, &blob_sizes.lbs_ipc); 211291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_key, &blob_sizes.lbs_key); 212291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_msg_msg, &blob_sizes.lbs_msg_msg); 213291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_perf_event, 214291271e6SPaul Moore &blob_sizes.lbs_perf_event); 215291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_sock, &blob_sizes.lbs_sock); 216291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_superblock, 217291271e6SPaul Moore &blob_sizes.lbs_superblock); 218291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_task, &blob_sizes.lbs_task); 219291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_tun_dev, &blob_sizes.lbs_tun_dev); 220291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_xattr_count, 221e0257856SPaul Moore &blob_sizes.lbs_xattr_count); 222291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_bdev, &blob_sizes.lbs_bdev); 223291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_bpf_map, &blob_sizes.lbs_bpf_map); 224291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_bpf_prog, &blob_sizes.lbs_bpf_prog); 225291271e6SPaul Moore lsm_blob_size_update(&blobs->lbs_bpf_token, &blob_sizes.lbs_bpf_token); 22667a4b6a8SPaul Moore } 22767a4b6a8SPaul Moore 22827be5600SPaul Moore /** 22927be5600SPaul Moore * lsm_init_single - Initialize a given LSM 23027be5600SPaul Moore * @lsm: LSM definition 23127be5600SPaul Moore */ 23227be5600SPaul Moore static void __init lsm_init_single(struct lsm_info *lsm) 23367a4b6a8SPaul Moore { 23467a4b6a8SPaul Moore int ret; 23567a4b6a8SPaul Moore 23627be5600SPaul Moore if (!lsm_is_enabled(lsm)) 23727be5600SPaul Moore return; 23827be5600SPaul Moore 239*5137e583SPaul Moore lsm_pr_dbg("initializing %s\n", lsm->id->name); 24067a4b6a8SPaul Moore ret = lsm->init(); 2419f9dc69eSPaul Moore WARN(ret, "%s failed to initialize: %d\n", lsm->id->name, ret); 24267a4b6a8SPaul Moore } 24367a4b6a8SPaul Moore 244752db065SPaul Moore /** 245752db065SPaul Moore * lsm_order_parse - Parse the comma delimited LSM list 246752db065SPaul Moore * @list: LSM list 247752db065SPaul Moore * @src: source of the list 248752db065SPaul Moore */ 249752db065SPaul Moore static void __init lsm_order_parse(const char *list, const char *src) 25067a4b6a8SPaul Moore { 25167a4b6a8SPaul Moore struct lsm_info *lsm; 25267a4b6a8SPaul Moore char *sep, *name, *next; 25367a4b6a8SPaul Moore 254752db065SPaul Moore /* Handle any Legacy LSM exclusions if one was specified. */ 255752db065SPaul Moore if (lsm_order_legacy) { 256752db065SPaul Moore /* 257752db065SPaul Moore * To match the original "security=" behavior, this explicitly 258752db065SPaul Moore * does NOT fallback to another Legacy Major if the selected 259752db065SPaul Moore * one was separately disabled: disable all non-matching 260752db065SPaul Moore * Legacy Major LSMs. 261752db065SPaul Moore */ 262752db065SPaul Moore lsm_for_each_raw(lsm) { 263752db065SPaul Moore if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) && 264752db065SPaul Moore strcmp(lsm->id->name, lsm_order_legacy)) { 265752db065SPaul Moore lsm_enabled_set(lsm, false); 266*5137e583SPaul Moore lsm_pr_dbg("skip legacy LSM conflict %s:%s\n", 267*5137e583SPaul Moore src, lsm->id->name); 268752db065SPaul Moore } 269752db065SPaul Moore } 270752db065SPaul Moore } 271752db065SPaul Moore 272752db065SPaul Moore /* LSM_ORDER_FIRST */ 27337f788f6SPaul Moore lsm_for_each_raw(lsm) { 27467a4b6a8SPaul Moore if (lsm->order == LSM_ORDER_FIRST) 27524a9c589SPaul Moore lsm_order_append(lsm, "first"); 27667a4b6a8SPaul Moore } 27767a4b6a8SPaul Moore 278752db065SPaul Moore /* Normal or "mutable" LSMs */ 279752db065SPaul Moore sep = kstrdup(list, GFP_KERNEL); 28067a4b6a8SPaul Moore next = sep; 28167a4b6a8SPaul Moore /* Walk the list, looking for matching LSMs. */ 28267a4b6a8SPaul Moore while ((name = strsep(&next, ",")) != NULL) { 28337f788f6SPaul Moore lsm_for_each_raw(lsm) { 284752db065SPaul Moore if (!strcmp(lsm->id->name, name) && 285752db065SPaul Moore lsm->order == LSM_ORDER_MUTABLE) 286752db065SPaul Moore lsm_order_append(lsm, src); 28767a4b6a8SPaul Moore } 28867a4b6a8SPaul Moore } 289752db065SPaul Moore kfree(sep); 29067a4b6a8SPaul Moore 291752db065SPaul Moore /* Legacy LSM if specified. */ 292592b104fSPaul Moore if (lsm_order_legacy) { 29337f788f6SPaul Moore lsm_for_each_raw(lsm) { 294752db065SPaul Moore if (!strcmp(lsm->id->name, lsm_order_legacy)) 295752db065SPaul Moore lsm_order_append(lsm, src); 29667a4b6a8SPaul Moore } 29767a4b6a8SPaul Moore } 29867a4b6a8SPaul Moore 299752db065SPaul Moore /* LSM_ORDER_LAST */ 30037f788f6SPaul Moore lsm_for_each_raw(lsm) { 30167a4b6a8SPaul Moore if (lsm->order == LSM_ORDER_LAST) 30224a9c589SPaul Moore lsm_order_append(lsm, "last"); 30367a4b6a8SPaul Moore } 30467a4b6a8SPaul Moore 305752db065SPaul Moore /* Disable all LSMs not previously enabled. */ 30637f788f6SPaul Moore lsm_for_each_raw(lsm) { 307a748372aSPaul Moore if (lsm_order_exists(lsm)) 30867a4b6a8SPaul Moore continue; 3092d671726SPaul Moore lsm_enabled_set(lsm, false); 310*5137e583SPaul Moore lsm_pr_dbg("skip disabled LSM %s:%s\n", src, lsm->id->name); 31167a4b6a8SPaul Moore } 31267a4b6a8SPaul Moore } 31367a4b6a8SPaul Moore 31445070533SPaul Moore /** 31545070533SPaul Moore * lsm_static_call_init - Initialize a LSM's static calls 31645070533SPaul Moore * @hl: LSM hook list 31745070533SPaul Moore */ 318*5137e583SPaul Moore static int __init lsm_static_call_init(struct security_hook_list *hl) 31967a4b6a8SPaul Moore { 32045a41d13SPaul Moore struct lsm_static_call *scall = hl->scalls; 32145a41d13SPaul Moore int i; 32245a41d13SPaul Moore 32345a41d13SPaul Moore for (i = 0; i < MAX_LSM_COUNT; i++) { 32445a41d13SPaul Moore /* Update the first static call that is not used yet */ 32545a41d13SPaul Moore if (!scall->hl) { 32645a41d13SPaul Moore __static_call_update(scall->key, scall->trampoline, 32745a41d13SPaul Moore hl->hook.lsm_func_addr); 32845a41d13SPaul Moore scall->hl = hl; 32945a41d13SPaul Moore static_branch_enable(scall->active); 330*5137e583SPaul Moore return 0; 33145a41d13SPaul Moore } 33245a41d13SPaul Moore scall++; 33345a41d13SPaul Moore } 334*5137e583SPaul Moore 335*5137e583SPaul Moore return -ENOSPC; 33645a41d13SPaul Moore } 33745a41d13SPaul Moore 33845a41d13SPaul Moore /** 33945070533SPaul Moore * security_add_hooks - Add a LSM's hooks to the LSM framework's hook lists 34045070533SPaul Moore * @hooks: LSM hooks to add 34145070533SPaul Moore * @count: number of hooks to add 34245070533SPaul Moore * @lsmid: identification information for the LSM 34345a41d13SPaul Moore * 34445070533SPaul Moore * Each LSM has to register its hooks with the LSM framework. 34545a41d13SPaul Moore */ 34645a41d13SPaul Moore void __init security_add_hooks(struct security_hook_list *hooks, int count, 34745a41d13SPaul Moore const struct lsm_id *lsmid) 34845a41d13SPaul Moore { 34945a41d13SPaul Moore int i; 35045a41d13SPaul Moore 35145a41d13SPaul Moore for (i = 0; i < count; i++) { 35245a41d13SPaul Moore hooks[i].lsmid = lsmid; 353*5137e583SPaul Moore if (lsm_static_call_init(&hooks[i])) 354*5137e583SPaul Moore panic("exhausted LSM callback slots with LSM %s\n", 355*5137e583SPaul Moore lsmid->name); 35645a41d13SPaul Moore } 35745a41d13SPaul Moore } 35845a41d13SPaul Moore 35945070533SPaul Moore /** 36045070533SPaul Moore * early_security_init - Initialize the early LSMs 36145070533SPaul Moore */ 36245a41d13SPaul Moore int __init early_security_init(void) 36345a41d13SPaul Moore { 36445a41d13SPaul Moore struct lsm_info *lsm; 36545a41d13SPaul Moore 36645a41d13SPaul Moore lsm_early_for_each_raw(lsm) { 36745a41d13SPaul Moore lsm_enabled_set(lsm, true); 36845a41d13SPaul Moore lsm_order_append(lsm, "early"); 36945a41d13SPaul Moore lsm_prepare(lsm); 37045a41d13SPaul Moore lsm_init_single(lsm); 37145a41d13SPaul Moore lsm_count_early++; 37245a41d13SPaul Moore } 37345a41d13SPaul Moore 37445a41d13SPaul Moore return 0; 37545a41d13SPaul Moore } 37645a41d13SPaul Moore 37745a41d13SPaul Moore /** 37845a41d13SPaul Moore * security_init - Initializes the LSM framework 37945a41d13SPaul Moore * 38045a41d13SPaul Moore * This should be called early in the kernel initialization sequence. 38145a41d13SPaul Moore */ 38245a41d13SPaul Moore int __init security_init(void) 38345a41d13SPaul Moore { 38445a41d13SPaul Moore unsigned int cnt; 38567a4b6a8SPaul Moore struct lsm_info **lsm; 38645a41d13SPaul Moore 387*5137e583SPaul Moore if (lsm_debug) { 388*5137e583SPaul Moore lsm_pr("built-in LSM list: %s\n", lsm_order_builtin); 389*5137e583SPaul Moore lsm_pr("legacy LSM parameter: %s\n", lsm_order_legacy); 390*5137e583SPaul Moore lsm_pr("boot LSM parameter: %s\n", lsm_order_cmdline); 391*5137e583SPaul Moore } 39267a4b6a8SPaul Moore 393592b104fSPaul Moore if (lsm_order_cmdline) { 394*5137e583SPaul Moore if (lsm_order_legacy) 395592b104fSPaul Moore lsm_order_legacy = NULL; 396752db065SPaul Moore lsm_order_parse(lsm_order_cmdline, "cmdline"); 39767a4b6a8SPaul Moore } else 398752db065SPaul Moore lsm_order_parse(lsm_order_builtin, "builtin"); 39967a4b6a8SPaul Moore 40045a41d13SPaul Moore lsm_order_for_each(lsm) 401e0257856SPaul Moore lsm_prepare(*lsm); 40267a4b6a8SPaul Moore 403*5137e583SPaul Moore if (lsm_debug) { 404*5137e583SPaul Moore lsm_pr("blob(cred) size %d\n", blob_sizes.lbs_cred); 405*5137e583SPaul Moore lsm_pr("blob(file) size %d\n", blob_sizes.lbs_file); 406*5137e583SPaul Moore lsm_pr("blob(ib) size %d\n", blob_sizes.lbs_ib); 407*5137e583SPaul Moore lsm_pr("blob(inode) size %d\n", blob_sizes.lbs_inode); 408*5137e583SPaul Moore lsm_pr("blob(ipc) size %d\n", blob_sizes.lbs_ipc); 409*5137e583SPaul Moore lsm_pr("blob(key) size %d\n", blob_sizes.lbs_key); 410*5137e583SPaul Moore lsm_pr("blob(msg_msg)_size %d\n", blob_sizes.lbs_msg_msg); 411*5137e583SPaul Moore lsm_pr("blob(sock) size %d\n", blob_sizes.lbs_sock); 412*5137e583SPaul Moore lsm_pr("blob(superblock) size %d\n", blob_sizes.lbs_superblock); 413*5137e583SPaul Moore lsm_pr("blob(perf_event) size %d\n", blob_sizes.lbs_perf_event); 414*5137e583SPaul Moore lsm_pr("blob(task) size %d\n", blob_sizes.lbs_task); 415*5137e583SPaul Moore lsm_pr("blob(tun_dev) size %d\n", blob_sizes.lbs_tun_dev); 416*5137e583SPaul Moore lsm_pr("blob(xattr) count %d\n", blob_sizes.lbs_xattr_count); 417*5137e583SPaul Moore lsm_pr("blob(bdev) size %d\n", blob_sizes.lbs_bdev); 418*5137e583SPaul Moore lsm_pr("blob(bpf_map) size %d\n", blob_sizes.lbs_bpf_map); 419*5137e583SPaul Moore lsm_pr("blob(bpf_prog) size %d\n", blob_sizes.lbs_bpf_prog); 420*5137e583SPaul Moore lsm_pr("blob(bpf_token) size %d\n", blob_sizes.lbs_bpf_token); 421cb1513dbSPaul Moore } 42267a4b6a8SPaul Moore 42367a4b6a8SPaul Moore if (blob_sizes.lbs_file) 42467a4b6a8SPaul Moore lsm_file_cache = kmem_cache_create("lsm_file_cache", 42567a4b6a8SPaul Moore blob_sizes.lbs_file, 0, 42667a4b6a8SPaul Moore SLAB_PANIC, NULL); 42767a4b6a8SPaul Moore if (blob_sizes.lbs_inode) 42867a4b6a8SPaul Moore lsm_inode_cache = kmem_cache_create("lsm_inode_cache", 42967a4b6a8SPaul Moore blob_sizes.lbs_inode, 0, 43067a4b6a8SPaul Moore SLAB_PANIC, NULL); 43167a4b6a8SPaul Moore 43292ed3500SPaul Moore if (lsm_cred_alloc((struct cred __rcu *)current->cred, GFP_KERNEL)) 433*5137e583SPaul Moore panic("early LSM cred alloc failed\n"); 43492ed3500SPaul Moore if (lsm_task_alloc(current)) 435*5137e583SPaul Moore panic("early LSM task alloc failed\n"); 43692ed3500SPaul Moore 43745a41d13SPaul Moore cnt = 0; 43837f788f6SPaul Moore lsm_order_for_each(lsm) { 43945a41d13SPaul Moore /* skip the "early" LSMs as they have already been setup */ 44045a41d13SPaul Moore if (cnt++ < lsm_count_early) 44145a41d13SPaul Moore continue; 44227be5600SPaul Moore lsm_init_single(*lsm); 44367a4b6a8SPaul Moore } 44467a4b6a8SPaul Moore 44567a4b6a8SPaul Moore return 0; 44667a4b6a8SPaul Moore } 447