* Stephen Smalley (sdsat_private) wrote: > > I know that the issue of early initialization of security modules came up > at OLS (i.e. initializing right after the security scaffold has > initialized, prior to any kernel objects being created other than the > initial task), and I think that Chris has an experimental patch > implementing support for early initialization. Such a patch would be > useful to SELinux, as it would ensure that we can set up the security > state for all kernel objects when they are created, as opposed to having > to play catch up via precondition functions or trying to locate all such > pre-existing objects during module initialization. What do others think? I think it could be useful. This is not well-abstracted, but IIRC it works fine when last tested. thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net ===== arch/i386/vmlinux.lds 1.7 vs edited ===== --- 1.7/arch/i386/vmlinux.lds Fri May 24 11:55:34 2002 +++ edited/arch/i386/vmlinux.lds Fri Aug 30 11:18:29 2002 @@ -58,6 +58,11 @@ *(.initcall7.init) } __initcall_end = .; + __security_initcall_start = .; + .secinit.init : { + *(.initcall8.init) + } + __security_initcall_end = .; . = ALIGN(32); __per_cpu_start = .; .data.percpu : { *(.data.percpu) } ===== include/linux/init.h 1.10 vs edited ===== --- 1.10/include/linux/init.h Sat Aug 10 11:42:20 2002 +++ edited/include/linux/init.h Fri Aug 30 11:01:25 2002 @@ -49,6 +49,7 @@ typedef void (*exitcall_t)(void); extern initcall_t __initcall_start, __initcall_end; +extern initcall_t __security_initcall_start, __security_initcall_end; /* initcalls are now grouped by functionality into separate * subsections. Ordering inside the subsections is determined @@ -68,6 +69,8 @@ #define device_initcall(fn) __define_initcall("6",fn) #define late_initcall(fn) __define_initcall("7",fn) +#define security_initcall(fn) __define_initcall("8",fn) + #define __initcall(fn) device_initcall(fn) #define __exitcall(fn) \ @@ -119,6 +122,16 @@ #define module_init(x) __initcall(x); /** + * security_module_init() - security module initialization entry point + * @x: funtion to be run at kernel boot time or module insertion + * + * security_module_init() simply uses it's own portion of the + * __initcal.init section. This allows security modules to be + * initialized earlier when compiled statically. + */ +#define security_module_init(x) security_initcall(x); + +/** * module_exit() - driver exit entry point * @x: function to be run when driver is removed * @@ -152,6 +165,7 @@ int init_module(void) __attribute__((alias(#x))); \ static inline __init_module_func_t __init_module_inline(void) \ { return x; } +#define security_module_init(x) module_init(x) #define module_exit(x) \ void cleanup_module(void) __attribute__((alias(#x))); \ static inline __cleanup_module_func_t __cleanup_module_inline(void) \ ===== security/capability.c 1.8 vs edited ===== --- 1.8/security/capability.c Fri Aug 16 00:54:00 2002 +++ edited/security/capability.c Fri Aug 30 11:19:26 2002 @@ -1265,7 +1265,7 @@ } } -module_init (capability_init); +security_module_init (capability_init); module_exit (capability_exit); MODULE_DESCRIPTION("Standard Linux Capabilities Security Module"); ===== security/security.c 1.2 vs edited ===== --- 1.2/security/security.c Tue Aug 6 12:24:06 2002 +++ edited/security/security.c Fri Aug 30 11:34:49 2002 @@ -76,6 +76,16 @@ return 0; } +static void __init do_security_initcalls(void) +{ + initcall_t *call; + call = &__security_initcall_start; + while (call < &__security_initcall_end) { + (*call)(); + call++; + } +} + /** * security_scaffolding_startup - initialzes the security scaffolding framework * @@ -87,6 +97,7 @@ " initialized\n"); security_ops = &dummy_security_ops; + do_security_initcalls(); return 0; } _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Sep 30 2002 - 00:48:16 PDT