[PATCH] Early init for security modules

From: Chris Wright (chrisat_private)
Date: Mon May 12 2003 - 20:03:09 PDT

  • Next message: Chris Wright: "Re: [PATCH] Early init for security modules"

    As discussed before, here is a simple patch to allow for early
    initialization of security modules when compiled statically into the
    kernel.  The standard do_initcalls is too late for complete coverage of
    all filesystems and threads for example.  If this looks OK, I'd like to
    push it on to Linus.  Patch is against 2.5.69-bk.  It is tested on i386,
    and various arch maintainers are copied on relevant bits of patch.
    
    thanks,
    -chris
    -- 
    Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
    
    --- 1.30/arch/i386/vmlinux.lds.S	Tue May  6 06:54:06 2003
    +++ edited/arch/i386/vmlinux.lds.S	Mon May 12 16:20:10 2003
    @@ -81,6 +81,9 @@
       __con_initcall_start = .;
       .con_initcall.init : { *(.con_initcall.init) }
       __con_initcall_end = .;
    +  __security_initcall_start = .;
    +  .security_initcall.init : { *(.security_initcall.init) }
    +  __security_initcall_end = .;
       . = ALIGN(4);
       __alt_instructions = .;
       .altinstructions : { *(.altinstructions) } 
    
    --- 1.99/init/main.c	Wed May  7 21:17:55 2003
    +++ edited/init/main.c	Mon May 12 16:17:01 2003
    @@ -435,8 +435,8 @@
     	pte_chain_init();
     	fork_init(num_physpages);
     	proc_caches_init();
    -	security_scaffolding_startup();
     	buffer_init();
    +	security_scaffolding_startup();
     	vfs_caches_init(num_physpages);
     	radix_tree_init();
     	signals_init();
    
    --- 1.25/include/linux/init.h	Mon Mar  3 13:05:26 2003
    +++ edited/include/linux/init.h	Mon May 12 16:17:01 2003
    @@ -64,6 +64,7 @@
     typedef void (*exitcall_t)(void);
     
     extern initcall_t __con_initcall_start, __con_initcall_end;
    +extern initcall_t __security_initcall_start, __security_initcall_end;
     #endif
       
     #ifndef MODULE
    @@ -96,6 +97,9 @@
     #define console_initcall(fn) \
     	static initcall_t __initcall_##fn __attribute__ ((unused,__section__ (".con_initcall.init")))=fn
     
    +#define security_initcall(fn) \
    +	static initcall_t __initcall_##fn __attribute__ ((unused,__section__ (".security_initcall.init"))) = fn
    +
     struct obs_kernel_param {
     	const char *str;
     	int (*setup_func)(char *);
    @@ -142,6 +146,8 @@
     #define fs_initcall(fn)			module_init(fn)
     #define device_initcall(fn)		module_init(fn)
     #define late_initcall(fn)		module_init(fn)
    +
    +#define security_initcall(fn)		module_init(fn)
     
     /* These macros create a dummy inline: gcc 2.9x does not count alias
      as usage, hence the `unused function' warning when __init functions
    
    --- 1.15/security/capability.c	Mon Feb 17 12:08:10 2003
    +++ edited/security/capability.c	Mon May 12 16:14:00 2003
    @@ -348,7 +348,7 @@
     	}
     }
     
    -module_init (capability_init);
    +security_initcall (capability_init);
     module_exit (capability_exit);
     
     MODULE_DESCRIPTION("Standard Linux Capabilities Security Module");
    
    --- 1.2/security/root_plug.c	Wed Dec 18 15:09:26 2002
    +++ edited/security/root_plug.c	Mon May 12 16:25:10 2003
    @@ -184,7 +184,7 @@
     	printk (KERN_INFO "Root Plug module removed\n");
     }
     
    -module_init (rootplug_init);
    +security_initcall (rootplug_init);
     module_exit (rootplug_exit);
     
     MODULE_DESCRIPTION("Root Plug sample LSM module, written for Linux Journal article");
    
    --- 1.7/security/security.c	Wed Dec 18 15:10:17 2002
    +++ edited/security/security.c	Mon May 12 16:17:13 2003
    @@ -38,12 +38,22 @@
     	return 0;
     }
     
    +static void __init do_security_initcalls(void)
    +{
    +	initcall_t *call;
    +	call = &__security_initcall_start;
    +	while (call < &__security_initcall_end) {
    +		(*call)();
    +		call++;
    +	}
    +}
    +
     /**
      * security_scaffolding_startup - initialzes the security scaffolding framework
      *
      * This should be called early in the kernel initialization sequence.
      */
    -int security_scaffolding_startup (void)
    +int __init security_scaffolding_startup (void)
     {
     	printk (KERN_INFO "Security Scaffold v" SECURITY_SCAFFOLD_VERSION
     		" initialized\n");
    @@ -55,6 +65,7 @@
     	}
     
     	security_ops = &dummy_security_ops;
    +	do_security_initcalls();
     
     	return 0;
     }
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Mon May 12 2003 - 20:05:36 PDT