This patch against lsm-2.4 is a backport of changes accepted into the 2.5/6 kernel. It allows for the early initialization of security modules. We have only been able to test the i386 code. We did not use the SECURITY_INIT macro that Chris used because include/asm-generic/vmlinux.lds.h does not exist in the 2.4 kernel, and most architectures directly link these files anyway so they are not preprocessed. The new 2.4-based SELinux (a backport of the 2.6-based SELinux) depends on these, so we'd like to get them into the lsm-2.4 tree so that we can also merge the new 2.4-based SELinux into it. For reference see the thread on the LSM mailing list starting on 12 May 2003. http://mail.wirex.com/pipermail/linux-security-module/2003-May/4355.html If there are no objections, I will ask Steve to merge it. arch/alpha/vmlinux.lds.in | 7 +++++++ arch/arm/vmlinux-armo.lds.in | 5 +++++ arch/arm/vmlinux-armv.lds.in | 5 +++++ arch/cris/cris.ld | 5 +++++ arch/i386/vmlinux.lds | 5 +++++ arch/ia64/vmlinux.lds.S | 6 ++++++ arch/m68k/vmlinux-sun3.lds | 5 +++++ arch/m68k/vmlinux.lds | 5 +++++ arch/mips/ld.script.in | 5 +++++ arch/mips64/ld.script.elf32.S | 5 +++++ arch/mips64/ld.script.elf64 | 5 +++++ arch/parisc/vmlinux.lds | 5 +++++ arch/parisc/vmlinux64.lds | 5 +++++ arch/ppc/vmlinux.lds | 5 +++++ arch/ppc64/vmlinux.lds | 6 +++++- arch/s390/vmlinux-shared.lds | 5 +++++ arch/s390/vmlinux.lds | 5 +++++ arch/s390x/vmlinux-shared.lds | 5 +++++ arch/s390x/vmlinux.lds | 5 +++++ arch/sh/vmlinux.lds.S | 5 +++++ arch/sparc/vmlinux.lds | 5 +++++ arch/sparc64/vmlinux.lds | 5 +++++ arch/x86_64/vmlinux.lds | 5 +++++ include/linux/init.h | 6 ++++++ security/capability.c | 2 +- security/security.c | 14 ++++++++++++-- 26 files changed, 137 insertions(+), 4 deletions(-) diff -Nru a/arch/alpha/vmlinux.lds.in b/arch/alpha/vmlinux.lds.in --- a/arch/alpha/vmlinux.lds.in Thu Sep 25 15:21:11 2003 +++ b/arch/alpha/vmlinux.lds.in Thu Sep 25 15:21:11 2003 @@ -44,6 +44,13 @@ .initcall.init : { *(.initcall.init) } __initcall_end = .; + .= ALIGN(8) + .security_initcall.init : { + __security_initcall_start = .; + *(.security_initcall.init) + __security_initcall_end = .; + } + . = ALIGN(2*8192); /* Align double page for init_task_union */ __init_end = .; diff -Nru a/arch/arm/vmlinux-armo.lds.in b/arch/arm/vmlinux-armo.lds.in --- a/arch/arm/vmlinux-armo.lds.in Thu Sep 25 15:21:11 2003 +++ b/arch/arm/vmlinux-armo.lds.in Thu Sep 25 15:21:11 2003 @@ -29,6 +29,11 @@ __initcall_start = .; *(.initcall.init) __initcall_end = .; + .security_initcall.init : { + __security_initcall_start = .; + *(.security_initcall.init) + __security_initcall_end = .; + } . = ALIGN(32768); __init_end = .; } diff -Nru a/arch/arm/vmlinux-armv.lds.in b/arch/arm/vmlinux-armv.lds.in --- a/arch/arm/vmlinux-armv.lds.in Thu Sep 25 15:21:11 2003 +++ b/arch/arm/vmlinux-armv.lds.in Thu Sep 25 15:21:11 2003 @@ -28,6 +28,11 @@ __initcall_start = .; *(.initcall.init) __initcall_end = .; + .security_initcall.init : { + __security_initcall_start = .; + *(.security_initcall.init) + __security_initcall_end = .; + } . = ALIGN(4096); __init_end = .; } diff -Nru a/arch/cris/cris.ld b/arch/cris/cris.ld --- a/arch/cris/cris.ld Thu Sep 25 15:21:11 2003 +++ b/arch/cris/cris.ld Thu Sep 25 15:21:11 2003 @@ -65,6 +65,11 @@ __initcall_start = .; *(.initcall.init); __initcall_end = .; + } + .security_initcall.init : { + __security_initcall_start = .; + *(.security_initcall.init) + __security_initcall_end = .; /* We fill to the next page, so we can discard all init pages without needing to consider what payload might be diff -Nru a/arch/i386/vmlinux.lds b/arch/i386/vmlinux.lds --- a/arch/i386/vmlinux.lds Thu Sep 25 15:21:11 2003 +++ b/arch/i386/vmlinux.lds Thu Sep 25 15:21:11 2003 @@ -49,6 +49,11 @@ __initcall_start = .; .initcall.init : { *(.initcall.init) } __initcall_end = .; + .security_initcall.init : { + __security_initcall_start = .; + *(.security_initcall.init) + __security_initcall_end = .; + } . = ALIGN(4096); __init_end = .; diff -Nru a/arch/ia64/vmlinux.lds.S b/arch/ia64/vmlinux.lds.S --- a/arch/ia64/vmlinux.lds.S Thu Sep 25 15:21:11 2003 +++ b/arch/ia64/vmlinux.lds.S Thu Sep 25 15:21:11 2003 @@ -120,6 +120,12 @@ *(.initcall.init) __initcall_end = .; } + .security_initcall.init : AT(ADDR(.security_initcall.init) - PAGE_OFFSET) + { + __security_initcall_start = .; + *(.security_initcall.init) + __security_initcall_end = .; + } . = ALIGN(PAGE_SIZE); __init_end = .; diff -Nru a/arch/m68k/vmlinux-sun3.lds b/arch/m68k/vmlinux-sun3.lds --- a/arch/m68k/vmlinux-sun3.lds Thu Sep 25 15:21:11 2003 +++ b/arch/m68k/vmlinux-sun3.lds Thu Sep 25 15:21:11 2003 @@ -44,6 +44,11 @@ __initcall_start = .; .initcall.init : { *(.initcall.init) } __initcall_end = .; + .security_initcall.init : { + __security_initcall_start = .; + *(.security_initcall.init) + __security_initcall_end = .; + } . = ALIGN(8192); __init_end = .; .init.task : { *(init_task) } diff -Nru a/arch/m68k/vmlinux.lds b/arch/m68k/vmlinux.lds --- a/arch/m68k/vmlinux.lds Thu Sep 25 15:21:11 2003 +++ b/arch/m68k/vmlinux.lds Thu Sep 25 15:21:11 2003 @@ -48,6 +48,11 @@ __initcall_start = .; .initcall.init : { *(.initcall.init) } __initcall_end = .; + .security_initcall.init : { + __security_initcall_start = .; + *(.security_initcall.init) + __security_initcall_end = .; + } . = ALIGN(8192); __init_end = .; diff -Nru a/arch/mips/ld.script.in b/arch/mips/ld.script.in --- a/arch/mips/ld.script.in Thu Sep 25 15:21:11 2003 +++ b/arch/mips/ld.script.in Thu Sep 25 15:21:11 2003 @@ -46,6 +46,11 @@ __initcall_start = .; .initcall.init : { *(.initcall.init) } __initcall_end = .; + .security_initcall.init : { + __security_initcall_start = .; + *(.security_initcall.init) + __security_initcall_end = .; + } . = ALIGN(4096); /* Align double page for init_task_union */ __init_end = .; diff -Nru a/arch/mips64/ld.script.elf32.S b/arch/mips64/ld.script.elf32.S --- a/arch/mips64/ld.script.elf32.S Thu Sep 25 15:21:11 2003 +++ b/arch/mips64/ld.script.elf32.S Thu Sep 25 15:21:11 2003 @@ -47,6 +47,11 @@ __initcall_start = .; .initcall.init : { *(.initcall.init) } __initcall_end = .; + .security_initcall.init : { + __security_initcall_start = .; + *(.security_initcall.init) + __security_initcall_end = .; + } . = ALIGN(4096); /* Align double page for init_task_union */ __init_end = .; diff -Nru a/arch/mips64/ld.script.elf64 b/arch/mips64/ld.script.elf64 --- a/arch/mips64/ld.script.elf64 Thu Sep 25 15:21:11 2003 +++ b/arch/mips64/ld.script.elf64 Thu Sep 25 15:21:11 2003 @@ -56,6 +56,11 @@ __initcall_start = .; .initcall.init : { *(.initcall.init) } __initcall_end = .; + .security_initcall.init : { + __security_initcall_start = .; + *(.security_initcall.init) + __security_initcall_end = .; + } . = ALIGN(4096); /* Align double page for init_task_union */ __init_end = .; diff -Nru a/arch/parisc/vmlinux.lds b/arch/parisc/vmlinux.lds --- a/arch/parisc/vmlinux.lds Thu Sep 25 15:21:11 2003 +++ b/arch/parisc/vmlinux.lds Thu Sep 25 15:21:11 2003 @@ -46,6 +46,11 @@ __initcall_start = .; .initcall.init : { *(.initcall.init) } __initcall_end = .; + .security_initcall.init : { + __security_initcall_start = .; + *(.security_initcall.init) + __security_initcall_end = .; + } __init_end = .; diff -Nru a/arch/parisc/vmlinux64.lds b/arch/parisc/vmlinux64.lds --- a/arch/parisc/vmlinux64.lds Thu Sep 25 15:21:11 2003 +++ b/arch/parisc/vmlinux64.lds Thu Sep 25 15:21:11 2003 @@ -49,6 +49,11 @@ __initcall_start = .; .initcall.init : { *(.initcall.init) } __initcall_end = .; + .security_initcall.init : { + __security_initcall_start = .; + *(.security_initcall.init) + __security_initcall_end = .; + } __init_end = .; diff -Nru a/arch/ppc/vmlinux.lds b/arch/ppc/vmlinux.lds --- a/arch/ppc/vmlinux.lds Thu Sep 25 15:21:11 2003 +++ b/arch/ppc/vmlinux.lds Thu Sep 25 15:21:11 2003 @@ -101,6 +101,11 @@ __initcall_start = .; .initcall.init : { *(.initcall.init) } __initcall_end = .; + .security_initcall.init : { + __security_initcall_start = .; + *(.security_initcall.init) + __security_initcall_end = .; + } . = ALIGN(4096); __init_end = .; diff -Nru a/arch/ppc64/vmlinux.lds b/arch/ppc64/vmlinux.lds --- a/arch/ppc64/vmlinux.lds Thu Sep 25 15:21:11 2003 +++ b/arch/ppc64/vmlinux.lds Thu Sep 25 15:21:11 2003 @@ -102,7 +102,11 @@ __initcall_start = .; .initcall.init : { *(.initcall.init) } __initcall_end = .; - + .security_initcall.init : { + __security_initcall_start = .; + *(.security_initcall.init) + __security_initcall_end = .; + } . = ALIGN(4096); __init_end = .; diff -Nru a/arch/s390/vmlinux-shared.lds b/arch/s390/vmlinux-shared.lds --- a/arch/s390/vmlinux-shared.lds Thu Sep 25 15:21:11 2003 +++ b/arch/s390/vmlinux-shared.lds Thu Sep 25 15:21:11 2003 @@ -56,6 +56,11 @@ __initcall_start = .; .initcall.init : { *(.initcall.init) } __initcall_end = .; + .security_initcall.init : { + __security_initcall_start = .; + *(.security_initcall.init) + __security_initcall_end = .; + } . = ALIGN(4096); __init_end = .; diff -Nru a/arch/s390/vmlinux.lds b/arch/s390/vmlinux.lds --- a/arch/s390/vmlinux.lds Thu Sep 25 15:21:11 2003 +++ b/arch/s390/vmlinux.lds Thu Sep 25 15:21:11 2003 @@ -54,6 +54,11 @@ __initcall_start = .; .initcall.init : { *(.initcall.init) } __initcall_end = .; + .security_initcall.init : { + __security_initcall_start = .; + *(.security_initcall.init) + __security_initcall_end = .; + } . = ALIGN(4096); __init_end = .; diff -Nru a/arch/s390x/vmlinux-shared.lds b/arch/s390x/vmlinux-shared.lds --- a/arch/s390x/vmlinux-shared.lds Thu Sep 25 15:21:11 2003 +++ b/arch/s390x/vmlinux-shared.lds Thu Sep 25 15:21:11 2003 @@ -56,6 +56,11 @@ __initcall_start = .; .initcall.init : { *(.initcall.init) } __initcall_end = .; + .security_initcall.init : { + __security_initcall_start = .; + *(.security_initcall.init) + __security_initcall_end = .; + } . = ALIGN(4096); __init_end = .; diff -Nru a/arch/s390x/vmlinux.lds b/arch/s390x/vmlinux.lds --- a/arch/s390x/vmlinux.lds Thu Sep 25 15:21:11 2003 +++ b/arch/s390x/vmlinux.lds Thu Sep 25 15:21:11 2003 @@ -54,6 +54,11 @@ __initcall_start = .; .initcall.init : { *(.initcall.init) } __initcall_end = .; + .security_initcall.init : { + __security_initcall_start = .; + *(.security_initcall.init) + __security_initcall_end = .; + } . = ALIGN(4096); __init_end = .; diff -Nru a/arch/sh/vmlinux.lds.S b/arch/sh/vmlinux.lds.S --- a/arch/sh/vmlinux.lds.S Thu Sep 25 15:21:11 2003 +++ b/arch/sh/vmlinux.lds.S Thu Sep 25 15:21:11 2003 @@ -65,6 +65,11 @@ .initcall.init : { *(.initcall.init) } __initcall_end = .; __machvec_start = .; + .security_initcall.init : { + __security_initcall_start = .; + *(.security_initcall.init) + __security_initcall_end = .; + } .machvec.init : { *(.machvec.init) } __machvec_end = .; . = ALIGN(4096); diff -Nru a/arch/sparc/vmlinux.lds b/arch/sparc/vmlinux.lds --- a/arch/sparc/vmlinux.lds Thu Sep 25 15:21:11 2003 +++ b/arch/sparc/vmlinux.lds Thu Sep 25 15:21:11 2003 @@ -47,6 +47,11 @@ __initcall_start = .; .initcall.init : { *(.initcall.init) } __initcall_end = .; + .security_initcall.init : { + __security_initcall_start = .; + *(.security_initcall.init) + __security_initcall_end = .; + } . = ALIGN(4096); __init_end = .; . = ALIGN(32); diff -Nru a/arch/sparc64/vmlinux.lds b/arch/sparc64/vmlinux.lds --- a/arch/sparc64/vmlinux.lds Thu Sep 25 15:21:11 2003 +++ b/arch/sparc64/vmlinux.lds Thu Sep 25 15:21:11 2003 @@ -48,6 +48,11 @@ __initcall_start = .; .initcall.init : { *(.initcall.init) } __initcall_end = .; + .security_initcall.init : { + __security_initcall_start = .; + *(.security_initcall.init) + __security_initcall_end = .; + } . = ALIGN(8192); __init_end = .; . = ALIGN(64); diff -Nru a/arch/x86_64/vmlinux.lds b/arch/x86_64/vmlinux.lds --- a/arch/x86_64/vmlinux.lds Thu Sep 25 15:21:11 2003 +++ b/arch/x86_64/vmlinux.lds Thu Sep 25 15:21:11 2003 @@ -89,6 +89,11 @@ __initcall_start = .; .initcall.init : { *(.initcall.init) } __initcall_end = .; + .security_initcall.init : { + __security_initcall_start = .; + *(.security_initcall.init) + __security_initcall_end = .; + } . = ALIGN(4096); __init_end = .; diff -Nru a/include/linux/init.h b/include/linux/init.h --- a/include/linux/init.h Thu Sep 25 15:21:11 2003 +++ b/include/linux/init.h Thu Sep 25 15:21:11 2003 @@ -49,12 +49,16 @@ typedef void (*exitcall_t)(void); extern initcall_t __initcall_start, __initcall_end; +extern initcall_t __security_initcall_start, __security_initcall_end; #define __initcall(fn) \ static initcall_t __initcall_##fn __init_call = fn #define __exitcall(fn) \ static exitcall_t __exitcall_##fn __exit_call = fn +#define security_initcall(fn) \ + static initcall_t __initcall_##fn __attribute__ ((unused,__section__ (".security_initcall.init"))) = fn + /* * Used for kernel command line parameter setup */ @@ -118,6 +122,8 @@ #define __initdata #define __exitdata #define __initcall(fn) +#define __security_initcall(fn) + /* For assembly routines */ #define __INIT #define __FINIT diff -Nru a/security/capability.c b/security/capability.c --- a/security/capability.c Thu Sep 25 15:21:11 2003 +++ b/security/capability.c Thu Sep 25 15:21:11 2003 @@ -399,7 +399,7 @@ } } -module_init (capability_init); +security_initcall (capability_init); module_exit (capability_exit); MODULE_DESCRIPTION("Standard Linux Capabilities Security Module"); diff -Nru a/security/security.c b/security/security.c --- a/security/security.c Thu Sep 25 15:21:11 2003 +++ b/security/security.c Thu Sep 25 15:21:11 2003 @@ -38,12 +38,22 @@ return 0; } +static void __init do_security_initcalls(void) +{ + initcall_t *call; + call = &__security_initcall_start; + while (call < &__security_initcall_end) { + (*call)(); + call++; + } +} + /** * security_scaffolding_startup - initialzes the security scaffolding framework * * This should be called early in the kernel initialization sequence. */ -int security_scaffolding_startup (void) +int __init security_scaffolding_startup (void) { printk (KERN_INFO "Security Scaffold v" SECURITY_SCAFFOLD_VERSION " initialized\n"); @@ -55,7 +65,7 @@ } security_ops = &dummy_security_ops; - + do_security_initcalls(); return 0; } -- James Carter <jwcart2@private> National Security Agency
This archive was generated by hypermail 2b30 : Fri Sep 26 2003 - 11:06:09 PDT