[RFC][PATCH] Early init for security modules

From: Chris Wright (chrisat_private)
Date: Tue Apr 08 2003 - 16:21:14 PDT

  • Next message: Mike Wray: "Security initializer bugs"

    As discussed before, here is a simple (x86 only) patch to allow for
    early initialization of security modules when compiled statically into
    the kernel.  The standard do_initcalls is too late for complete coverage
    of all filesystems and threads for example.  If this looks alright, I
    can polish it off with complete arch support and submit to Linus.  Patch
    is against 2.5.67-bk.
    
    thanks,
    -chris
    -- 
    Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
    
    ===== arch/i386/vmlinux.lds.S 1.26 vs edited =====
    --- 1.26/arch/i386/vmlinux.lds.S	Sun Feb 16 15:55:23 2003
    +++ edited/arch/i386/vmlinux.lds.S	Tue Apr  8 16:12:28 2003
    @@ -77,6 +77,9 @@
       __con_initcall_start = .;
       .con_initcall.init : { *(.con_initcall.init) }
       __con_initcall_end = .;
    +  __security_initcall_start = .;
    +  .security_initcall.init : { *(.security_initcall.init) }
    +  __security_initcall_end = .;
       . = ALIGN(4096);
       __initramfs_start = .;
       .init.ramfs : { *(.init.ramfs) }
    ===== include/linux/init.h 1.25 vs edited =====
    --- 1.25/include/linux/init.h	Mon Mar  3 13:05:26 2003
    +++ edited/include/linux/init.h	Tue Apr  8 16:12:29 2003
    @@ -64,6 +64,7 @@
     typedef void (*exitcall_t)(void);
     
     extern initcall_t __con_initcall_start, __con_initcall_end;
    +extern initcall_t __security_initcall_start, __security_initcall_end;
     #endif
       
     #ifndef MODULE
    @@ -96,6 +97,9 @@
     #define console_initcall(fn) \
     	static initcall_t __initcall_##fn __attribute__ ((unused,__section__ (".con_initcall.init")))=fn
     
    +#define security_initcall(fn) \
    +	static initcall_t __initcall_##fn __attribute__ ((unused,__section__ (".security_initcall.init"))) = fn
    +
     struct obs_kernel_param {
     	const char *str;
     	int (*setup_func)(char *);
    @@ -142,6 +146,8 @@
     #define fs_initcall(fn)			module_init(fn)
     #define device_initcall(fn)		module_init(fn)
     #define late_initcall(fn)		module_init(fn)
    +
    +#define security_initcall(fn)		module_init(fn)
     
     /* These macros create a dummy inline: gcc 2.9x does not count alias
      as usage, hence the `unused function' warning when __init functions
    ===== init/main.c 1.96 vs edited =====
    --- 1.96/init/main.c	Thu Mar 27 21:13:34 2003
    +++ edited/init/main.c	Tue Apr  8 16:12:29 2003
    @@ -435,8 +435,8 @@
     	pte_chain_init();
     	fork_init(num_physpages);
     	proc_caches_init();
    -	security_scaffolding_startup();
     	buffer_init();
    +	security_scaffolding_startup();
     	vfs_caches_init(num_physpages);
     	radix_tree_init();
     	signals_init();
    ===== security/capability.c 1.15 vs edited =====
    --- 1.15/security/capability.c	Mon Feb 17 12:08:10 2003
    +++ edited/security/capability.c	Tue Apr  8 16:12:29 2003
    @@ -348,7 +348,7 @@
     	}
     }
     
    -module_init (capability_init);
    +security_initcall (capability_init);
     module_exit (capability_exit);
     
     MODULE_DESCRIPTION("Standard Linux Capabilities Security Module");
    ===== security/root_plug.c 1.2 vs edited =====
    --- 1.2/security/root_plug.c	Wed Dec 18 15:09:26 2002
    +++ edited/security/root_plug.c	Tue Apr  8 16:20:25 2003
    @@ -184,7 +184,7 @@
     	printk (KERN_INFO "Root Plug module removed\n");
     }
     
    -module_init (rootplug_init);
    +security_initcall (rootplug_init);
     module_exit (rootplug_exit);
     
     MODULE_DESCRIPTION("Root Plug sample LSM module, written for Linux Journal article");
    ===== security/security.c 1.7 vs edited =====
    --- 1.7/security/security.c	Wed Dec 18 15:10:17 2002
    +++ edited/security/security.c	Tue Apr  8 16:20:07 2003
    @@ -38,12 +38,22 @@
     	return 0;
     }
     
    +static void __init do_security_initcalls(void)
    +{
    +	initcall_t *call;
    +	call = &__security_initcall_start;
    +	while (call < &__security_initcall_end) {
    +		(*call)();
    +		call++;
    +	}
    +}
    +
     /**
      * security_scaffolding_startup - initialzes the security scaffolding framework
      *
      * This should be called early in the kernel initialization sequence.
      */
    -int security_scaffolding_startup (void)
    +int __init security_scaffolding_startup (void)
     {
     	printk (KERN_INFO "Security Scaffold v" SECURITY_SCAFFOLD_VERSION
     		" initialized\n");
    @@ -55,6 +65,7 @@
     	}
     
     	security_ops = &dummy_security_ops;
    +	do_security_initcalls();
     
     	return 0;
     }
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Tue Apr 08 2003 - 16:24:41 PDT