[PATCH v2 2/5] security: Count the LSMs enabled at compile time

linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: KP Singh <kpsingh@kernel.org>
To: linux-security-module@vger.kernel.org, bpf@vger.kernel.org
Cc: paul@paul-moore.com, keescook@chromium.org,
	casey@schaufler-ca.com, song@kernel.org, daniel@iogearbox.net,
	ast@kernel.org, jannh@google.com,
	Kui-Feng Lee <sinquersw@gmail.com>, KP Singh <kpsingh@kernel.org>
Subject: [PATCH v2 2/5] security: Count the LSMs enabled at compile time
Date: Fri, 16 Jun 2023 02:04:38 +0200	[thread overview]
Message-ID: <20230616000441.3677441-3-kpsingh@kernel.org> (raw)
In-Reply-To: <20230616000441.3677441-1-kpsingh@kernel.org>

These macros are a clever trick to determine a count of the number of
LSMs that are enabled in the config to ascertain the maximum number of
static calls that need to be configured per LSM hook.

Without this one would need to generate static calls for (number of
possible LSMs * number of LSM hooks) which ends up being quite wasteful
especially when some LSMs are not compiled into the kernel.

Suggested-by: Kui-Feng Lee <sinquersw@gmail.com>
Signed-off-by: KP Singh <kpsingh@kernel.org>
---
 include/linux/lsm_count.h | 131 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 131 insertions(+)
 create mode 100644 include/linux/lsm_count.h

diff --git a/include/linux/lsm_count.h b/include/linux/lsm_count.h
new file mode 100644
index 000000000000..818f62ffa723
--- /dev/null
+++ b/include/linux/lsm_count.h
@@ -0,0 +1,131 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+
+/*
+ * Copyright (C) 2023 Google LLC.
+ */
+
+#ifndef __LINUX_LSM_COUNT_H
+#define __LINUX_LSM_COUNT_H
+
+#include <linux/kconfig.h>
+
+/*
+ * Macros to count the number of LSMs enabled in the kernel at compile time.
+ */
+
+#define __LSM_COUNT_15(x, y...) 15
+#define __LSM_COUNT_14(x, y...) 14
+#define __LSM_COUNT_13(x, y...) 13
+#define __LSM_COUNT_12(x, y...) 12
+#define __LSM_COUNT_11(x, y...) 11
+#define __LSM_COUNT_10(x, y...) 10
+#define __LSM_COUNT_9(x, y...) 9
+#define __LSM_COUNT_8(x, y...) 8
+#define __LSM_COUNT_7(x, y...) 7
+#define __LSM_COUNT_6(x, y...) 6
+#define __LSM_COUNT_5(x, y...) 5
+#define __LSM_COUNT_4(x, y...) 4
+#define __LSM_COUNT_3(x, y...) 3
+#define __LSM_COUNT_2(x, y...) 2
+#define __LSM_COUNT_1(x, y...) 1
+#define __LSM_COUNT_0(x, y...) 0
+
+#define __LSM_COUNT1_15(x, y...) __LSM_COUNT ## x ## _15(y)
+#define __LSM_COUNT1_14(x, y...) __LSM_COUNT ## x ## _14(y)
+#define __LSM_COUNT1_13(x, y...) __LSM_COUNT ## x ## _13(y)
+#define __LSM_COUNT1_12(x, y...) __LSM_COUNT ## x ## _12(y)
+#define __LSM_COUNT1_10(x, y...) __LSM_COUNT ## x ## _11(y)
+#define __LSM_COUNT1_9(x, y...) __LSM_COUNT ## x ## _10(y)
+#define __LSM_COUNT1_8(x, y...) __LSM_COUNT ## x ## _9(y)
+#define __LSM_COUNT1_7(x, y...) __LSM_COUNT ## x ## _8(y)
+#define __LSM_COUNT1_6(x, y...) __LSM_COUNT ## x ## _7(y)
+#define __LSM_COUNT1_5(x, y...) __LSM_COUNT ## x ## _6(y)
+#define __LSM_COUNT1_4(x, y...) __LSM_COUNT ## x ## _5(y)
+#define __LSM_COUNT1_3(x, y...) __LSM_COUNT ## x ## _4(y)
+#define __LSM_COUNT1_2(x, y...) __LSM_COUNT ## x ## _3(y)
+#define __LSM_COUNT1_1(x, y...) __LSM_COUNT ## x ## _2(y)
+#define __LSM_COUNT1_0(x, y...) __LSM_COUNT ## x ## _1(y)
+#define __LSM_COUNT(x, y...) __LSM_COUNT ## x ## _0(y)
+
+#define __LSM_COUNT_EXPAND(x...) __LSM_COUNT(x)
+
+#if IS_ENABLED(CONFIG_SECURITY)
+#define CAPABILITIES_ENABLED 1,
+#else
+#define CAPABILITIES_ENABLED
+#endif
+
+#if IS_ENABLED(CONFIG_SECURITY_SELINUX)
+#define SELINUX_ENABLED 1,
+#else
+#define SELINUX_ENABLED
+#endif
+
+#if IS_ENABLED(CONFIG_SECURITY_SMACK)
+#define SMACK_ENABLED 1,
+#else
+#define SMACK_ENABLED
+#endif
+
+#if IS_ENABLED(CONFIG_SECURITY_APPARMOR)
+#define APPARMOR_ENABLED 1,
+#else
+#define APPARMOR_ENABLED
+#endif
+
+#if IS_ENABLED(CONFIG_SECURITY_TOMOYO)
+#define TOMOYO_ENABLED 1,
+#else
+#define TOMOYO_ENABLED
+#endif
+
+#if IS_ENABLED(CONFIG_SECURITY_YAMA)
+#define YAMA_ENABLED 1,
+#else
+#define YAMA_ENABLED
+#endif
+
+#if IS_ENABLED(CONFIG_SECURITY_LOADPIN)
+#define LOADPIN_ENABLED 1,
+#else
+#define LOADPIN_ENABLED
+#endif
+
+#if IS_ENABLED(CONFIG_SECURITY_LOCKDOWN_LSM)
+#define LOCKDOWN_ENABLED 1,
+#else
+#define LOCKDOWN_ENABLED
+#endif
+
+#if IS_ENABLED(CONFIG_BPF_LSM)
+#define BPF_LSM_ENABLED 1,
+#else
+#define BPF_LSM_ENABLED
+#endif
+
+#if IS_ENABLED(CONFIG_BPF_LSM)
+#define BPF_LSM_ENABLED 1,
+#else
+#define BPF_LSM_ENABLED
+#endif
+
+#if IS_ENABLED(CONFIG_SECURITY_LANDLOCK)
+#define LANDLOCK_ENABLED 1,
+#else
+#define LANDLOCK_ENABLED
+#endif
+
+#define MAX_LSM_COUNT			\
+	__LSM_COUNT_EXPAND(		\
+		CAPABILITIES_ENABLED	\
+		SELINUX_ENABLED		\
+		SMACK_ENABLED		\
+		APPARMOR_ENABLED	\
+		TOMOYO_ENABLED		\
+		YAMA_ENABLED		\
+		LOADPIN_ENABLED		\
+		LOCKDOWN_ENABLED	\
+		BPF_LSM_ENABLED		\
+		LANDLOCK_ENABLED)
+
+#endif  /* __LINUX_LSM_COUNT_H */
-- 
2.41.0.162.gfafddb0af9-goog

next prev parent reply	other threads:[~2023-06-16  0:05 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-16  0:04 [PATCH v2 0/5] Reduce overhead of LSMs with static calls KP Singh
2023-06-16  0:04 ` [PATCH v2 1/5] kernel: Add helper macros for loop unrolling KP Singh
2023-06-16  0:04 ` KP Singh [this message]
2023-06-16  0:38   ` [PATCH v2 2/5] security: Count the LSMs enabled at compile time Casey Schaufler
2023-06-16 22:27     ` Andrii Nakryiko
2023-09-16  0:54       ` KP Singh
2023-06-16  0:04 ` [PATCH v2 3/5] security: Replace indirect LSM hook calls with static calls KP Singh
2023-06-16  1:05   ` Casey Schaufler
2023-06-17 15:09     ` KP Singh
2023-06-16  3:41   ` kernel test robot
2023-06-16 21:09   ` kernel test robot
2023-06-17 15:39     ` KP Singh
2023-06-20 21:53   ` Kees Cook
2023-06-16  0:04 ` [PATCH v2 4/5] bpf: Only enable BPF LSM hooks when an LSM program is attached KP Singh
2023-06-16  0:04 ` [PATCH v2 5/5] security: Add CONFIG_SECURITY_HOOK_LIKELY KP Singh
2023-06-16  1:14   ` Casey Schaufler
2023-06-17 15:11     ` KP Singh
2023-06-20 20:58   ` Kees Cook
2023-09-18 13:27     ` KP Singh
2023-09-18 13:55   ` Paul Moore
2023-09-18 16:28     ` KP Singh

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:818f62ffa72 )
 OR (
bs:"[PATCH v2 2/5] security: Count the LSMs enabled at compile time" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230616000441.3677441-3-kpsingh@kernel.org \
    --to=kpsingh@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=casey@schaufler-ca.com \
    --cc=daniel@iogearbox.net \
    --cc=jannh@google.com \
    --cc=keescook@chromium.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=sinquersw@gmail.com \
    --cc=song@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).