From: Simon THOBY <git@nightmared.fr>
To: linux-security-module@vger.kernel.org
Cc: Simon THOBY <git@nightmared.fr>,
linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org
Subject: [RFC PATCH 2/9] Introduce a new LSM: loadpol
Date: Wed, 21 May 2025 16:01:06 +0200 [thread overview]
Message-ID: <20250521140121.591482-3-git@nightmared.fr> (raw)
In-Reply-To: <20250521140121.591482-1-git@nightmared.fr>
Create a new LSM to filter the load of kernel modules according
to a user-provided policy.
Signed-off-by: Simon THOBY <git@nightmared.fr>
---
include/linux/lsm_count.h | 7 +++++++
include/uapi/linux/lsm.h | 1 +
security/Kconfig | 1 +
security/Makefile | 1 +
security/loadpol/Kconfig | 12 ++++++++++++
security/loadpol/Makefile | 1 +
security/loadpol/loadpol.c | 29 +++++++++++++++++++++++++++++
security/loadpol/loadpol.h | 8 ++++++++
8 files changed, 60 insertions(+)
create mode 100644 security/loadpol/Kconfig
create mode 100644 security/loadpol/Makefile
create mode 100644 security/loadpol/loadpol.c
create mode 100644 security/loadpol/loadpol.h
diff --git a/include/linux/lsm_count.h b/include/linux/lsm_count.h
index 16eb49761b25..9e0d96dfe9d2 100644
--- a/include/linux/lsm_count.h
+++ b/include/linux/lsm_count.h
@@ -84,6 +84,12 @@
#define LANDLOCK_ENABLED
#endif
+#if IS_ENABLED(CONFIG_SECURITY_LOADPOL)
+#define LOADPOL_ENABLED 1,
+#else
+#define LOADPOL_ENABLED
+#endif
+
#if IS_ENABLED(CONFIG_IMA)
#define IMA_ENABLED 1,
#else
@@ -122,6 +128,7 @@
SAFESETID_ENABLED \
BPF_LSM_ENABLED \
LANDLOCK_ENABLED \
+ LOADPOL_ENABLED \
IMA_ENABLED \
EVM_ENABLED \
IPE_ENABLED)
diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
index 938593dfd5da..ec8bdb415562 100644
--- a/include/uapi/linux/lsm.h
+++ b/include/uapi/linux/lsm.h
@@ -65,6 +65,7 @@ struct lsm_ctx {
#define LSM_ID_IMA 111
#define LSM_ID_EVM 112
#define LSM_ID_IPE 113
+#define LSM_ID_LOADPOL 114
/*
* LSM_ATTR_XXX definitions identify different LSM attributes
diff --git a/security/Kconfig b/security/Kconfig
index 4816fc74f81e..e492c0d6768c 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -230,6 +230,7 @@ source "security/safesetid/Kconfig"
source "security/lockdown/Kconfig"
source "security/landlock/Kconfig"
source "security/ipe/Kconfig"
+source "security/loadpol/Kconfig"
source "security/integrity/Kconfig"
diff --git a/security/Makefile b/security/Makefile
index 22ff4c8bd8ce..562c572b7f23 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -26,6 +26,7 @@ obj-$(CONFIG_CGROUPS) += device_cgroup.o
obj-$(CONFIG_BPF_LSM) += bpf/
obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/
obj-$(CONFIG_SECURITY_IPE) += ipe/
+obj-$(CONFIG_SECURITY_LOADPOL) += loadpol/
# Object integrity file lists
obj-$(CONFIG_INTEGRITY) += integrity/
diff --git a/security/loadpol/Kconfig b/security/loadpol/Kconfig
new file mode 100644
index 000000000000..8945e210ef69
--- /dev/null
+++ b/security/loadpol/Kconfig
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: GPL-2.0-only
+
+config SECURITY_LOADPOL
+ bool "LOADPOL support"
+ depends on SECURITY && MODULES
+ help
+ Loadpol allows restricting the kernel modules that can be loaded
+ dynamically according to a user-defined policy.
+
+ If you are unsure how to answer this question, answer N. Otherwise,
+ enable this and append "loadpol," to the CONFIG_LSM variable to
+ enable Loadpol.
diff --git a/security/loadpol/Makefile b/security/loadpol/Makefile
new file mode 100644
index 000000000000..a794c8cfbfee
--- /dev/null
+++ b/security/loadpol/Makefile
@@ -0,0 +1 @@
+obj-$(CONFIG_SECURITY_LOADPOL) := loadpol.o
diff --git a/security/loadpol/loadpol.c b/security/loadpol/loadpol.c
new file mode 100644
index 000000000000..3fc29263e2f8
--- /dev/null
+++ b/security/loadpol/loadpol.c
@@ -0,0 +1,29 @@
+// SPDX-License-Identifier: GPL-2.0-only
+
+#include "linux/array_size.h"
+#include <linux/lsm_hooks.h>
+#include <uapi/linux/lsm.h>
+
+#include "loadpol.h"
+
+static int __init loadpol_init(void);
+
+static const struct lsm_id loadpol_lsmid = {
+ .name = LOADPOL_NAME,
+ .id = LSM_ID_LOADPOL,
+};
+
+static struct security_hook_list loadpol_hooks[] __ro_after_init = {
+};
+
+DEFINE_LSM(LOADPOL_NAME) = {
+ .name = LOADPOL_NAME,
+ .init = loadpol_init,
+};
+
+static int __init loadpol_init(void)
+{
+ security_add_hooks(loadpol_hooks, ARRAY_SIZE(loadpol_hooks), &loadpol_lsmid);
+ pr_info("Loadpol started.\n");
+ return 0;
+}
diff --git a/security/loadpol/loadpol.h b/security/loadpol/loadpol.h
new file mode 100644
index 000000000000..5e11474191f0
--- /dev/null
+++ b/security/loadpol/loadpol.h
@@ -0,0 +1,8 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+
+#ifndef _SECURITY_LOADPOL_LOADPOL_H
+#define _SECURITY_LOADPOL_LOADPOL_H
+
+#define LOADPOL_NAME "loadpol"
+
+#endif /* _SECURITY_LOADPOL_LOADPOL_H */
--
2.49.0
next prev parent reply other threads:[~2025-05-21 14:06 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-21 14:01 [RFC PATCH 0/9] Introducing the Loadpol LSM Simon THOBY
2025-05-21 14:01 ` [RFC PATCH 1/9] LSM: Introduce a new hook: security_kernel_module_load Simon THOBY
2025-05-21 22:03 ` Serge E. Hallyn
2025-05-22 8:57 ` Simon Thoby
2025-05-21 14:01 ` Simon THOBY [this message]
2025-05-21 14:01 ` [RFC PATCH 3/9] Loadpol LSM: filter kernel module request according to the policy Simon THOBY
2025-05-21 15:47 ` Casey Schaufler
2025-05-21 16:21 ` Randy Dunlap
2025-05-21 16:26 ` Simon Thoby
2025-05-21 14:01 ` [RFC PATCH 4/9] Loadpol LSM: add a file in securityfs to read/modify " Simon THOBY
2025-05-21 14:01 ` [RFC PATCH 5/9] Loadpol LSM: add a sysctl to lock " Simon THOBY
2025-05-21 14:01 ` [RFC PATCH 6/9] Loadpol LSM: emit an audit log Simon THOBY
2025-05-21 14:01 ` [RFC PATCH 7/9] module: expose the list of blacklisted modules Simon THOBY
2025-05-21 14:01 ` [RFC PATCH 8/9] Loadpol LSM: include the blacklisted kernel modules in the policy Simon THOBY
2025-05-21 14:01 ` [RFC PATCH 9/9] Loadpol LSM: add a minimal documentation Simon THOBY
2025-05-21 16:26 ` Randy Dunlap
2025-05-21 16:29 ` Simon Thoby
2025-05-21 21:31 ` Paul Moore
2025-05-22 9:23 ` Simon Thoby
2025-05-29 23:49 ` Paul Moore
2025-05-30 7:03 ` Simon Thoby
2025-05-30 14:59 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250521140121.591482-3-git@nightmared.fr \
--to=git@nightmared.fr \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).