xref: /linux/security/lsm_init.c (revision a619fe35ab41fded440d3762d4fbad84ff86a4d4) 
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * LSM initialization functions
4  */
5 
6 #define pr_fmt(fmt) "LSM: " fmt
7 
8 #include <linux/init.h>
9 #include <linux/lsm_hooks.h>
10 
11 #include "lsm.h"
12 
13 /* LSM enabled constants. */
14 static __initdata int lsm_enabled_true = 1;
15 static __initdata int lsm_enabled_false = 0;
16 
17 /* Pointers to LSM sections defined in include/asm-generic/vmlinux.lds.h */
18 extern struct lsm_info __start_lsm_info[], __end_lsm_info[];
19 extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[];
20 
21 /* Number of "early" LSMs */
22 static __initdata unsigned int lsm_count_early;
23 
24 /* Build and boot-time LSM ordering. */
25 static __initconst const char *const lsm_order_builtin = CONFIG_LSM;
26 static __initdata const char *lsm_order_cmdline;
27 static __initdata const char *lsm_order_legacy;
28 
29 /* Ordered list of LSMs to initialize. */
30 static __initdata struct lsm_info *lsm_order[MAX_LSM_COUNT + 1];
31 static __initdata struct lsm_info *lsm_exclusive;
32 
33 #define lsm_order_for_each(iter)					\
34 	for ((iter) = lsm_order; *(iter); (iter)++)
35 #define lsm_for_each_raw(iter)						\
36 	for ((iter) = __start_lsm_info;					\
37 	     (iter) < __end_lsm_info; (iter)++)
38 #define lsm_early_for_each_raw(iter)					\
39 	for ((iter) = __start_early_lsm_info;				\
40 	     (iter) < __end_early_lsm_info; (iter)++)
41 
42 #define lsm_initcall(level)						\
43 	({								\
44 		int _r, _rc = 0;					\
45 		struct lsm_info **_lp, *_l;				\
46 		lsm_order_for_each(_lp) {				\
47 			_l = *_lp;					\
48 			if (!_l->initcall_##level)			\
49 				continue;				\
50 			lsm_pr_dbg("running %s %s initcall",		\
51 				   _l->id->name, #level);		\
52 			_r = _l->initcall_##level();			\
53 			if (_r) {					\
54 				pr_warn("failed LSM %s %s initcall with errno %d\n", \
55 					_l->id->name, #level, _r);	\
56 				if (!_rc)				\
57 					_rc = _r;			\
58 			}						\
59 		}							\
60 		_rc;							\
61 	})
62 
63 /**
64  * lsm_choose_security - Legacy "major" LSM selection
65  * @str: kernel command line parameter
66  */
67 static int __init lsm_choose_security(char *str)
68 {
69 	lsm_order_legacy = str;
70 	return 1;
71 }
72 __setup("security=", lsm_choose_security);
73 
74 /**
75  * lsm_choose_lsm - Modern LSM selection
76  * @str: kernel command line parameter
77  */
78 static int __init lsm_choose_lsm(char *str)
79 {
80 	lsm_order_cmdline = str;
81 	return 1;
82 }
83 __setup("lsm=", lsm_choose_lsm);
84 
85 /**
86  * lsm_debug_enable - Enable LSM framework debugging
87  * @str: kernel command line parameter
88  *
89  * Currently we only provide debug info during LSM initialization, but we may
90  * want to expand this in the future.
91  */
92 static int __init lsm_debug_enable(char *str)
93 {
94 	lsm_debug = true;
95 	return 1;
96 }
97 __setup("lsm.debug", lsm_debug_enable);
98 
99 /**
100  * lsm_enabled_set - Mark a LSM as enabled
101  * @lsm: LSM definition
102  * @enabled: enabled flag
103  */
104 static void __init lsm_enabled_set(struct lsm_info *lsm, bool enabled)
105 {
106 	/*
107 	 * When an LSM hasn't configured an enable variable, we can use
108 	 * a hard-coded location for storing the default enabled state.
109 	 */
110 	if (!lsm->enabled ||
111 	    lsm->enabled == &lsm_enabled_true ||
112 	    lsm->enabled == &lsm_enabled_false) {
113 		lsm->enabled = enabled ? &lsm_enabled_true : &lsm_enabled_false;
114 	} else {
115 		*lsm->enabled = enabled;
116 	}
117 }
118 
119 /**
120  * lsm_is_enabled - Determine if a LSM is enabled
121  * @lsm: LSM definition
122  */
123 static inline bool lsm_is_enabled(struct lsm_info *lsm)
124 {
125 	return (lsm->enabled ? *lsm->enabled : false);
126 }
127 
128 /**
129  * lsm_order_exists - Determine if a LSM exists in the ordered list
130  * @lsm: LSM definition
131  */
132 static bool __init lsm_order_exists(struct lsm_info *lsm)
133 {
134 	struct lsm_info **check;
135 
136 	lsm_order_for_each(check) {
137 		if (*check == lsm)
138 			return true;
139 	}
140 
141 	return false;
142 }
143 
144 /**
145  * lsm_order_append - Append a LSM to the ordered list
146  * @lsm: LSM definition
147  * @src: source of the addition
148  *
149  * Append @lsm to the enabled LSM array after ensuring that it hasn't been
150  * explicitly disabled, is a duplicate entry, or would run afoul of the
151  * LSM_FLAG_EXCLUSIVE logic.
152  */
153 static void __init lsm_order_append(struct lsm_info *lsm, const char *src)
154 {
155 	/* Ignore duplicate selections. */
156 	if (lsm_order_exists(lsm))
157 		return;
158 
159 	/* Skip explicitly disabled LSMs. */
160 	if (lsm->enabled && !lsm_is_enabled(lsm)) {
161 		lsm_pr_dbg("skip previously disabled LSM %s:%s\n",
162 			   src, lsm->id->name);
163 		return;
164 	}
165 
166 	if (lsm_active_cnt == MAX_LSM_COUNT) {
167 		pr_warn("exceeded maximum LSM count on %s:%s\n",
168 			src, lsm->id->name);
169 		lsm_enabled_set(lsm, false);
170 		return;
171 	}
172 
173 	if (lsm->flags & LSM_FLAG_EXCLUSIVE) {
174 		if (lsm_exclusive) {
175 			lsm_pr_dbg("skip exclusive LSM conflict %s:%s\n",
176 				   src, lsm->id->name);
177 			lsm_enabled_set(lsm, false);
178 			return;
179 		} else {
180 			lsm_pr_dbg("select exclusive LSM %s:%s\n",
181 				   src, lsm->id->name);
182 			lsm_exclusive = lsm;
183 		}
184 	}
185 
186 	lsm_enabled_set(lsm, true);
187 	lsm_order[lsm_active_cnt] = lsm;
188 	lsm_idlist[lsm_active_cnt++] = lsm->id;
189 
190 	lsm_pr_dbg("enabling LSM %s:%s\n", src, lsm->id->name);
191 }
192 
193 /**
194  * lsm_order_parse - Parse the comma delimited LSM list
195  * @list: LSM list
196  * @src: source of the list
197  */
198 static void __init lsm_order_parse(const char *list, const char *src)
199 {
200 	struct lsm_info *lsm;
201 	char *sep, *name, *next;
202 
203 	/* Handle any Legacy LSM exclusions if one was specified. */
204 	if (lsm_order_legacy) {
205 		/*
206 		 * To match the original "security=" behavior, this explicitly
207 		 * does NOT fallback to another Legacy Major if the selected
208 		 * one was separately disabled: disable all non-matching
209 		 * Legacy Major LSMs.
210 		 */
211 		lsm_for_each_raw(lsm) {
212 			if ((lsm->flags & LSM_FLAG_LEGACY_MAJOR) &&
213 			     strcmp(lsm->id->name, lsm_order_legacy)) {
214 				lsm_enabled_set(lsm, false);
215 				lsm_pr_dbg("skip legacy LSM conflict %s:%s\n",
216 					   src, lsm->id->name);
217 			}
218 		}
219 	}
220 
221 	/* LSM_ORDER_FIRST */
222 	lsm_for_each_raw(lsm) {
223 		if (lsm->order == LSM_ORDER_FIRST)
224 			lsm_order_append(lsm, "first");
225 	}
226 
227 	/* Normal or "mutable" LSMs */
228 	sep = kstrdup(list, GFP_KERNEL);
229 	next = sep;
230 	/* Walk the list, looking for matching LSMs. */
231 	while ((name = strsep(&next, ",")) != NULL) {
232 		lsm_for_each_raw(lsm) {
233 			if (!strcmp(lsm->id->name, name) &&
234 			    lsm->order == LSM_ORDER_MUTABLE)
235 				lsm_order_append(lsm, src);
236 		}
237 	}
238 	kfree(sep);
239 
240 	/* Legacy LSM if specified. */
241 	if (lsm_order_legacy) {
242 		lsm_for_each_raw(lsm) {
243 			if (!strcmp(lsm->id->name, lsm_order_legacy))
244 				lsm_order_append(lsm, src);
245 		}
246 	}
247 
248 	/* LSM_ORDER_LAST */
249 	lsm_for_each_raw(lsm) {
250 		if (lsm->order == LSM_ORDER_LAST)
251 			lsm_order_append(lsm, "last");
252 	}
253 
254 	/* Disable all LSMs not previously enabled. */
255 	lsm_for_each_raw(lsm) {
256 		if (lsm_order_exists(lsm))
257 			continue;
258 		lsm_enabled_set(lsm, false);
259 		lsm_pr_dbg("skip disabled LSM %s:%s\n", src, lsm->id->name);
260 	}
261 }
262 
263 /**
264  * lsm_blob_size_update - Update the LSM blob size and offset information
265  * @sz_req: the requested additional blob size
266  * @sz_cur: the existing blob size
267  */
268 static void __init lsm_blob_size_update(unsigned int *sz_req,
269 					unsigned int *sz_cur)
270 {
271 	unsigned int offset;
272 
273 	if (*sz_req == 0)
274 		return;
275 
276 	offset = ALIGN(*sz_cur, sizeof(void *));
277 	*sz_cur = offset + *sz_req;
278 	*sz_req = offset;
279 }
280 
281 /**
282  * lsm_prepare - Prepare the LSM framework for a new LSM
283  * @lsm: LSM definition
284  */
285 static void __init lsm_prepare(struct lsm_info *lsm)
286 {
287 	struct lsm_blob_sizes *blobs = lsm->blobs;
288 
289 	if (!blobs)
290 		return;
291 
292 	/* Register the LSM blob sizes. */
293 	blobs = lsm->blobs;
294 	lsm_blob_size_update(&blobs->lbs_cred, &blob_sizes.lbs_cred);
295 	lsm_blob_size_update(&blobs->lbs_file, &blob_sizes.lbs_file);
296 	lsm_blob_size_update(&blobs->lbs_ib, &blob_sizes.lbs_ib);
297 	/* inode blob gets an rcu_head in addition to LSM blobs. */
298 	if (blobs->lbs_inode && blob_sizes.lbs_inode == 0)
299 		blob_sizes.lbs_inode = sizeof(struct rcu_head);
300 	lsm_blob_size_update(&blobs->lbs_inode, &blob_sizes.lbs_inode);
301 	lsm_blob_size_update(&blobs->lbs_ipc, &blob_sizes.lbs_ipc);
302 	lsm_blob_size_update(&blobs->lbs_key, &blob_sizes.lbs_key);
303 	lsm_blob_size_update(&blobs->lbs_msg_msg, &blob_sizes.lbs_msg_msg);
304 	lsm_blob_size_update(&blobs->lbs_perf_event,
305 			     &blob_sizes.lbs_perf_event);
306 	lsm_blob_size_update(&blobs->lbs_sock, &blob_sizes.lbs_sock);
307 	lsm_blob_size_update(&blobs->lbs_superblock,
308 			     &blob_sizes.lbs_superblock);
309 	lsm_blob_size_update(&blobs->lbs_task, &blob_sizes.lbs_task);
310 	lsm_blob_size_update(&blobs->lbs_tun_dev, &blob_sizes.lbs_tun_dev);
311 	lsm_blob_size_update(&blobs->lbs_xattr_count,
312 			     &blob_sizes.lbs_xattr_count);
313 	lsm_blob_size_update(&blobs->lbs_bdev, &blob_sizes.lbs_bdev);
314 	lsm_blob_size_update(&blobs->lbs_bpf_map, &blob_sizes.lbs_bpf_map);
315 	lsm_blob_size_update(&blobs->lbs_bpf_prog, &blob_sizes.lbs_bpf_prog);
316 	lsm_blob_size_update(&blobs->lbs_bpf_token, &blob_sizes.lbs_bpf_token);
317 }
318 
319 /**
320  * lsm_init_single - Initialize a given LSM
321  * @lsm: LSM definition
322  */
323 static void __init lsm_init_single(struct lsm_info *lsm)
324 {
325 	int ret;
326 
327 	if (!lsm_is_enabled(lsm))
328 		return;
329 
330 	lsm_pr_dbg("initializing %s\n", lsm->id->name);
331 	ret = lsm->init();
332 	WARN(ret, "%s failed to initialize: %d\n", lsm->id->name, ret);
333 }
334 
335 /**
336  * lsm_static_call_init - Initialize a LSM's static calls
337  * @hl: LSM hook list
338  */
339 static int __init lsm_static_call_init(struct security_hook_list *hl)
340 {
341 	struct lsm_static_call *scall = hl->scalls;
342 	int i;
343 
344 	for (i = 0; i < MAX_LSM_COUNT; i++) {
345 		/* Update the first static call that is not used yet */
346 		if (!scall->hl) {
347 			__static_call_update(scall->key, scall->trampoline,
348 					     hl->hook.lsm_func_addr);
349 			scall->hl = hl;
350 			static_branch_enable(scall->active);
351 			return 0;
352 		}
353 		scall++;
354 	}
355 
356 	return -ENOSPC;
357 }
358 
359 /**
360  * security_add_hooks - Add a LSM's hooks to the LSM framework's hook lists
361  * @hooks: LSM hooks to add
362  * @count: number of hooks to add
363  * @lsmid: identification information for the LSM
364  *
365  * Each LSM has to register its hooks with the LSM framework.
366  */
367 void __init security_add_hooks(struct security_hook_list *hooks, int count,
368 			       const struct lsm_id *lsmid)
369 {
370 	int i;
371 
372 	for (i = 0; i < count; i++) {
373 		hooks[i].lsmid = lsmid;
374 		if (lsm_static_call_init(&hooks[i]))
375 			panic("exhausted LSM callback slots with LSM %s\n",
376 			      lsmid->name);
377 	}
378 }
379 
380 /**
381  * early_security_init - Initialize the early LSMs
382  */
383 int __init early_security_init(void)
384 {
385 	struct lsm_info *lsm;
386 
387 	/* NOTE: lsm_pr_dbg() doesn't work here as lsm_debug is not yet set */
388 
389 	lsm_early_for_each_raw(lsm) {
390 		lsm_enabled_set(lsm, true);
391 		lsm_order_append(lsm, "early");
392 		lsm_prepare(lsm);
393 		lsm_init_single(lsm);
394 		lsm_count_early++;
395 	}
396 
397 	return 0;
398 }
399 
400 /**
401  * security_init - Initializes the LSM framework
402  *
403  * This should be called early in the kernel initialization sequence.
404  */
405 int __init security_init(void)
406 {
407 	unsigned int cnt;
408 	struct lsm_info **lsm;
409 
410 	if (lsm_debug) {
411 		struct lsm_info *i;
412 
413 		cnt = 0;
414 		lsm_pr("available LSMs: ");
415 		lsm_early_for_each_raw(i)
416 			lsm_pr_cont("%s%s(E)", (cnt++ ? "," : ""), i->id->name);
417 		lsm_for_each_raw(i)
418 			lsm_pr_cont("%s%s", (cnt++ ? "," : ""), i->id->name);
419 		lsm_pr_cont("\n");
420 
421 		lsm_pr("built-in LSM config: %s\n", lsm_order_builtin);
422 
423 		lsm_pr("legacy LSM parameter: %s\n", lsm_order_legacy);
424 		lsm_pr("boot LSM parameter: %s\n", lsm_order_cmdline);
425 
426 		/* see the note about lsm_pr_dbg() in early_security_init() */
427 		lsm_early_for_each_raw(i)
428 			lsm_pr("enabled LSM early:%s\n", i->id->name);
429 	}
430 
431 	if (lsm_order_cmdline) {
432 		if (lsm_order_legacy)
433 			lsm_order_legacy = NULL;
434 		lsm_order_parse(lsm_order_cmdline, "cmdline");
435 	} else
436 		lsm_order_parse(lsm_order_builtin, "builtin");
437 
438 	lsm_order_for_each(lsm)
439 		lsm_prepare(*lsm);
440 
441 	if (lsm_debug) {
442 		lsm_pr("blob(cred) size %d\n", blob_sizes.lbs_cred);
443 		lsm_pr("blob(file) size %d\n", blob_sizes.lbs_file);
444 		lsm_pr("blob(ib) size %d\n", blob_sizes.lbs_ib);
445 		lsm_pr("blob(inode) size %d\n", blob_sizes.lbs_inode);
446 		lsm_pr("blob(ipc) size %d\n", blob_sizes.lbs_ipc);
447 		lsm_pr("blob(key) size %d\n", blob_sizes.lbs_key);
448 		lsm_pr("blob(msg_msg)_size %d\n", blob_sizes.lbs_msg_msg);
449 		lsm_pr("blob(sock) size %d\n", blob_sizes.lbs_sock);
450 		lsm_pr("blob(superblock) size %d\n", blob_sizes.lbs_superblock);
451 		lsm_pr("blob(perf_event) size %d\n", blob_sizes.lbs_perf_event);
452 		lsm_pr("blob(task) size %d\n", blob_sizes.lbs_task);
453 		lsm_pr("blob(tun_dev) size %d\n", blob_sizes.lbs_tun_dev);
454 		lsm_pr("blob(xattr) count %d\n", blob_sizes.lbs_xattr_count);
455 		lsm_pr("blob(bdev) size %d\n", blob_sizes.lbs_bdev);
456 		lsm_pr("blob(bpf_map) size %d\n", blob_sizes.lbs_bpf_map);
457 		lsm_pr("blob(bpf_prog) size %d\n", blob_sizes.lbs_bpf_prog);
458 		lsm_pr("blob(bpf_token) size %d\n", blob_sizes.lbs_bpf_token);
459 	}
460 
461 	if (blob_sizes.lbs_file)
462 		lsm_file_cache = kmem_cache_create("lsm_file_cache",
463 						   blob_sizes.lbs_file, 0,
464 						   SLAB_PANIC, NULL);
465 	if (blob_sizes.lbs_inode)
466 		lsm_inode_cache = kmem_cache_create("lsm_inode_cache",
467 						    blob_sizes.lbs_inode, 0,
468 						    SLAB_PANIC, NULL);
469 
470 	if (lsm_cred_alloc((struct cred *)unrcu_pointer(current->cred),
471 			   GFP_KERNEL))
472 		panic("early LSM cred alloc failed\n");
473 	if (lsm_task_alloc(current))
474 		panic("early LSM task alloc failed\n");
475 
476 	cnt = 0;
477 	lsm_order_for_each(lsm) {
478 		/* skip the "early" LSMs as they have already been setup */
479 		if (cnt++ < lsm_count_early)
480 			continue;
481 		lsm_init_single(*lsm);
482 	}
483 
484 	return 0;
485 }
486 
487 /**
488  * security_initcall_pure - Run the LSM pure initcalls
489  */
490 static int __init security_initcall_pure(void)
491 {
492 	int rc_adr, rc_lsm;
493 
494 	rc_adr = min_addr_init();
495 	rc_lsm = lsm_initcall(pure);
496 
497 	return (rc_adr ? rc_adr : rc_lsm);
498 }
499 pure_initcall(security_initcall_pure);
500 
501 /**
502  * security_initcall_early - Run the LSM early initcalls
503  */
504 static int __init security_initcall_early(void)
505 {
506 	return lsm_initcall(early);
507 }
508 early_initcall(security_initcall_early);
509 
510 /**
511  * security_initcall_core - Run the LSM core initcalls
512  */
513 static int __init security_initcall_core(void)
514 {
515 	int rc_sfs, rc_lsm;
516 
517 	rc_sfs = securityfs_init();
518 	rc_lsm = lsm_initcall(core);
519 
520 	return (rc_sfs ? rc_sfs : rc_lsm);
521 }
522 core_initcall(security_initcall_core);
523 
524 /**
525  * security_initcall_subsys - Run the LSM subsys initcalls
526  */
527 static int __init security_initcall_subsys(void)
528 {
529 	return lsm_initcall(subsys);
530 }
531 subsys_initcall(security_initcall_subsys);
532 
533 /**
534  * security_initcall_fs - Run the LSM fs initcalls
535  */
536 static int __init security_initcall_fs(void)
537 {
538 	return lsm_initcall(fs);
539 }
540 fs_initcall(security_initcall_fs);
541 
542 /**
543  * security_initcall_device - Run the LSM device initcalls
544  */
545 static int __init security_initcall_device(void)
546 {
547 	return lsm_initcall(device);
548 }
549 device_initcall(security_initcall_device);
550 
551 /**
552  * security_initcall_late - Run the LSM late initcalls
553  */
554 static int __init security_initcall_late(void)
555 {
556 	int rc;
557 
558 	rc = lsm_initcall(late);
559 	lsm_pr_dbg("all enabled LSMs fully activated\n");
560 	call_blocking_lsm_notifier(LSM_STARTED_ALL, NULL);
561 
562 	return rc;
563 }
564 late_initcall(security_initcall_late);
565