Re: Early initialization of security modules

From: Chris Wright (chrisat_private)
Date: Mon Sep 30 2002 - 00:39:50 PDT

  • Next message: Chris Wright: "Re: [RFC] No more module_* hooks"

    * Stephen Smalley (sdsat_private) wrote:
    > 
    > I know that the issue of early initialization of security modules came up
    > at OLS (i.e. initializing right after the security scaffold has
    > initialized, prior to any kernel objects being created other than the
    > initial task), and I think that Chris has an experimental patch
    > implementing support for early initialization.  Such a patch would be
    > useful to SELinux, as it would ensure that we can set up the security
    > state for all kernel objects when they are created, as opposed to having
    > to play catch up via precondition functions or trying to locate all such
    > pre-existing objects during module initialization.  What do others think?
    
    I think it could be useful.  This is not well-abstracted, but IIRC it
    works fine when last tested.
    
    thanks,
    -chris
    -- 
    Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
    
    ===== arch/i386/vmlinux.lds 1.7 vs edited =====
    --- 1.7/arch/i386/vmlinux.lds	Fri May 24 11:55:34 2002
    +++ edited/arch/i386/vmlinux.lds	Fri Aug 30 11:18:29 2002
    @@ -58,6 +58,11 @@
     	*(.initcall7.init)
       }
       __initcall_end = .;
    +  __security_initcall_start = .;
    +  .secinit.init : {
    +	*(.initcall8.init)
    +  }
    +  __security_initcall_end = .;
       . = ALIGN(32);
       __per_cpu_start = .;
       .data.percpu  : { *(.data.percpu) }
    ===== include/linux/init.h 1.10 vs edited =====
    --- 1.10/include/linux/init.h	Sat Aug 10 11:42:20 2002
    +++ edited/include/linux/init.h	Fri Aug 30 11:01:25 2002
    @@ -49,6 +49,7 @@
     typedef void (*exitcall_t)(void);
     
     extern initcall_t __initcall_start, __initcall_end;
    +extern initcall_t __security_initcall_start, __security_initcall_end;
     
     /* initcalls are now grouped by functionality into separate 
      * subsections. Ordering inside the subsections is determined
    @@ -68,6 +69,8 @@
     #define device_initcall(fn)		__define_initcall("6",fn)
     #define late_initcall(fn)		__define_initcall("7",fn)
     
    +#define security_initcall(fn)		__define_initcall("8",fn)
    +
     #define __initcall(fn) device_initcall(fn)
     
     #define __exitcall(fn)								\
    @@ -119,6 +122,16 @@
     #define module_init(x)	__initcall(x);
     
     /**
    + * security_module_init() - security module initialization entry point
    + * @x: funtion to be run at kernel boot time or module insertion
    + *
    + * security_module_init() simply uses it's own portion of the
    + * __initcal.init section.  This allows security modules to be
    + * initialized earlier when compiled statically.
    + */
    +#define security_module_init(x) security_initcall(x);
    +
    +/**
      * module_exit() - driver exit entry point
      * @x: function to be run when driver is removed
      * 
    @@ -152,6 +165,7 @@
     	int init_module(void) __attribute__((alias(#x))); \
     	static inline __init_module_func_t __init_module_inline(void) \
     	{ return x; }
    +#define security_module_init(x) module_init(x)
     #define module_exit(x) \
     	void cleanup_module(void) __attribute__((alias(#x))); \
     	static inline __cleanup_module_func_t __cleanup_module_inline(void) \
    ===== security/capability.c 1.8 vs edited =====
    --- 1.8/security/capability.c	Fri Aug 16 00:54:00 2002
    +++ edited/security/capability.c	Fri Aug 30 11:19:26 2002
    @@ -1265,7 +1265,7 @@
     	}
     }
     
    -module_init (capability_init);
    +security_module_init (capability_init);
     module_exit (capability_exit);
     
     MODULE_DESCRIPTION("Standard Linux Capabilities Security Module");
    ===== security/security.c 1.2 vs edited =====
    --- 1.2/security/security.c	Tue Aug  6 12:24:06 2002
    +++ edited/security/security.c	Fri Aug 30 11:34:49 2002
    @@ -76,6 +76,16 @@
     	return 0;
     }
     
    +static void __init do_security_initcalls(void)
    +{
    +	initcall_t *call;
    +	call = &__security_initcall_start;
    +	while (call < &__security_initcall_end) {
    +		(*call)();
    +		call++;
    +	}
    +}
    +
     /**
      * security_scaffolding_startup - initialzes the security scaffolding framework
      *
    @@ -87,6 +97,7 @@
     		" initialized\n");
     
     	security_ops = &dummy_security_ops;
    +	do_security_initcalls();
     
     	return 0;
     }
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Mon Sep 30 2002 - 00:48:16 PDT