From: John Johansen <john.johansen@canonical.com>
To: Roberto Sassu <roberto.sassu@huaweicloud.com>,
Paul Moore <paul@paul-moore.com>,
linux-security-module@vger.kernel.org,
linux-integrity@vger.kernel.org, selinux@vger.kernel.org
Cc: "Mimi Zohar" <zohar@linux.ibm.com>,
"Roberto Sassu" <roberto.sassu@huawei.com>,
"Fan Wu" <wufan@kernel.org>, "Mickaël Salaün" <mic@digikod.net>,
"Günther Noack" <gnoack@google.com>,
"Kees Cook" <kees@kernel.org>,
"Micah Morton" <mortonm@chromium.org>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Tetsuo Handa" <penguin-kernel@I-love.SAKURA.ne.jp>,
"Nicolas Bouchinet" <nicolas.bouchinet@oss.cyber.gouv.fr>,
"Xiu Jianfeng" <xiujianfeng@huawei.com>
Subject: Re: [PATCH v3 11/34] lsm: get rid of the lsm_names list and do some cleanup
Date: Thu, 4 Sep 2025 01:48:39 -0700 [thread overview]
Message-ID: <e92064a4-06c5-4913-917c-f9aca02378f3@canonical.com> (raw)
In-Reply-To: <dd03266930a7b219c590c54bb2c210366f8d89a1.camel@huaweicloud.com>
On 9/4/25 01:12, Roberto Sassu wrote:
> On Tue, 2025-09-02 at 10:20 -0700, John Johansen wrote:
>> On 8/14/25 15:50, Paul Moore wrote:
>>> The LSM currently has a lot of code to maintain a list of the currently
>>> active LSMs in a human readable string, with the only user being the
>>> "/sys/kernel/security/lsm" code. Let's drop all of that code and
>>> generate the string on first use and then cache it for subsequent use.
>>>
>>> Signed-off-by: Paul Moore <paul@paul-moore.com>
>>> ---
>>> include/linux/lsm_hooks.h | 1 -
>>> security/inode.c | 59 +++++++++++++++++++++++++++++++++++++--
>>> security/lsm_init.c | 49 --------------------------------
>>> 3 files changed, 57 insertions(+), 52 deletions(-)
>>>
>>> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
>>> index 7343dd60b1d5..65a8227bece7 100644
>>> --- a/include/linux/lsm_hooks.h
>>> +++ b/include/linux/lsm_hooks.h
>>> @@ -172,7 +172,6 @@ struct lsm_info {
>>>
>>>
>>> /* DO NOT tamper with these variables outside of the LSM framework */
>>> -extern char *lsm_names;
>>> extern struct lsm_static_calls_table static_calls_table __ro_after_init;
>>>
>>> /**
>>> diff --git a/security/inode.c b/security/inode.c
>>> index 43382ef8896e..a5e7a073e672 100644
>>> --- a/security/inode.c
>>> +++ b/security/inode.c
>>> @@ -22,6 +22,8 @@
>>> #include <linux/lsm_hooks.h>
>>> #include <linux/magic.h>
>>>
>>> +#include "lsm.h"
>>> +
>>> static struct vfsmount *mount;
>>> static int mount_count;
>>>
>>> @@ -315,12 +317,65 @@ void securityfs_remove(struct dentry *dentry)
>>> EXPORT_SYMBOL_GPL(securityfs_remove);
>>>
>>> #ifdef CONFIG_SECURITY
>>> +#include <linux/spinlock.h>
>>> +
>>> static struct dentry *lsm_dentry;
>>> +
>>> +/* NOTE: we never free the string below once it is set. */
>>> +static DEFINE_SPINLOCK(lsm_read_lock);
>>
>> nit, this is only used on the write side, so not the best name
>>
>>> +static char *lsm_read_str = NULL;
>>> +static ssize_t lsm_read_len = 0;
>>> +
>>> static ssize_t lsm_read(struct file *filp, char __user *buf, size_t count,
>>> loff_t *ppos)
>>> {
>>> - return simple_read_from_buffer(buf, count, ppos, lsm_names,
>>> - strlen(lsm_names));
>>> + int i;
>>> + char *str;
>>> + ssize_t len;
>>> +
>>> +restart:
>>> +
>>> + rcu_read_lock();
>
> Uhm, it seems we cannot use plain RCU here, simple_read_from_buffer()
> can sleep.
>
doh, yes.
But we shouldn't need RCU here either. This is a write once, never update
again situation. Instead we can get away with just a lock on the write
side to ensure exclusion on setting the value.
We don't even need the read side memory barrier, if the assumption that
the pointer is read as a single value holds, and the the null read will
go to the lock, and end up rereading.
> Roberto
>
>>> + if (!lsm_read_str) {
>> should probably be
>> if (!rcu_access_pointer(lsm_read_str)) {
>>
>>> + /* we need to generate the string and try again */
>>> + rcu_read_unlock();
>>> + goto generate_string;
>>> + }
>>> + len = simple_read_from_buffer(buf, count, ppos,
>>> + rcu_dereference(lsm_read_str),
>>> + lsm_read_len);
>>> + rcu_read_unlock();
>>> + return len;
>>> +
>>> +generate_string:
>>> +
>>> + for (i = 0; i < lsm_active_cnt; i++)
>>> + /* the '+ 1' accounts for either a comma or a NUL */
>>> + len += strlen(lsm_idlist[i]->name) + 1;
>>> +
>>> + str = kmalloc(len, GFP_KERNEL);
>>> + if (!str)
>>> + return -ENOMEM;
>>> + str[0] = '\0';
>>> +
>>> + for (i = 0; i < lsm_active_cnt; i++) {
>>> + if (i > 0)
>>> + strcat(str, ",");
>>> + strcat(str, lsm_idlist[i]->name);
>>> + }
>>> +
>>> + spin_lock(&lsm_read_lock);
>>> + if (lsm_read_str) {
>>> + /* we raced and lost */
>>> + spin_unlock(&lsm_read_lock);
>>> + kfree(str);
>>> + goto restart;
>>> + }
>>> + lsm_read_str = str;
>>> + lsm_read_len = len - 1;
>>> + spin_unlock(&lsm_read_lock);
>>> +
>>> + goto restart;
>>> }
>>>
>>> static const struct file_operations lsm_ops = {
>>> diff --git a/security/lsm_init.c b/security/lsm_init.c
>>> index 9e495a36a332..87e2147016b3 100644
>>> --- a/security/lsm_init.c
>>> +++ b/security/lsm_init.c
>>> @@ -10,8 +10,6 @@
>>>
>>> #include "lsm.h"
>>>
>>> -char *lsm_names;
>>> -
>>> /* Pointers to LSM sections defined in include/asm-generic/vmlinux.lds.h */
>>> extern struct lsm_info __start_lsm_info[], __end_lsm_info[];
>>> extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[];
>>> @@ -371,42 +369,6 @@ static void __init lsm_init_ordered(void)
>>> }
>>> }
>>>
>>> -static bool match_last_lsm(const char *list, const char *lsm)
>>> -{
>>> - const char *last;
>>> -
>>> - if (WARN_ON(!list || !lsm))
>>> - return false;
>>> - last = strrchr(list, ',');
>>> - if (last)
>>> - /* Pass the comma, strcmp() will check for '\0' */
>>> - last++;
>>> - else
>>> - last = list;
>>> - return !strcmp(last, lsm);
>>> -}
>>> -
>>> -static int lsm_append(const char *new, char **result)
>>> -{
>>> - char *cp;
>>> -
>>> - if (*result == NULL) {
>>> - *result = kstrdup(new, GFP_KERNEL);
>>> - if (*result == NULL)
>>> - return -ENOMEM;
>>> - } else {
>>> - /* Check if it is the last registered name */
>>> - if (match_last_lsm(*result, new))
>>> - return 0;
>>> - cp = kasprintf(GFP_KERNEL, "%s,%s", *result, new);
>>> - if (cp == NULL)
>>> - return -ENOMEM;
>>> - kfree(*result);
>>> - *result = cp;
>>> - }
>>> - return 0;
>>> -}
>>> -
>>> static void __init lsm_static_call_init(struct security_hook_list *hl)
>>> {
>>> struct lsm_static_call *scall = hl->scalls;
>>> @@ -443,15 +405,6 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
>>> hooks[i].lsmid = lsmid;
>>> lsm_static_call_init(&hooks[i]);
>>> }
>>> -
>>> - /*
>>> - * Don't try to append during early_security_init(), we'll come back
>>> - * and fix this up afterwards.
>>> - */
>>> - if (slab_is_available()) {
>>> - if (lsm_append(lsmid->name, &lsm_names) < 0)
>>> - panic("%s - Cannot get early memory.\n", __func__);
>>> - }
>>> }
>>>
>>> int __init early_security_init(void)
>>> @@ -488,8 +441,6 @@ int __init security_init(void)
>>> lsm_early_for_each_raw(lsm) {
>>> init_debug(" early started: %s (%s)\n", lsm->id->name,
>>> is_enabled(lsm) ? "enabled" : "disabled");
>>> - if (lsm->enabled)
>>> - lsm_append(lsm->id->name, &lsm_names);
>>> }
>>>
>>> /* Load LSMs in specified order. */
>>
>
next prev parent reply other threads:[~2025-09-04 8:48 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-14 22:50 [RFC PATCH v3 0/34] Rework the LSM initialization Paul Moore
2025-08-14 22:50 ` [PATCH v3 01/34] lsm: split the notifier code out into lsm_notifier.c Paul Moore
2025-08-14 22:50 ` [PATCH v3 02/34] lsm: split the init code out into lsm_init.c Paul Moore
2025-08-14 22:50 ` [PATCH v3 03/34] lsm: consolidate lsm_allowed() and prepare_lsm() into lsm_prepare() Paul Moore
2025-09-02 16:33 ` John Johansen
2025-08-14 22:50 ` [PATCH v3 04/34] lsm: introduce looping macros for the initialization code Paul Moore
2025-09-02 16:37 ` John Johansen
2025-09-03 20:07 ` Paul Moore
2025-08-14 22:50 ` [PATCH v3 05/34] lsm: integrate report_lsm_order() code into caller Paul Moore
2025-09-02 16:53 ` John Johansen
2025-08-14 22:50 ` [PATCH v3 06/34] lsm: integrate lsm_early_cred() and lsm_early_task() " Paul Moore
2025-09-02 16:55 ` John Johansen
2025-08-14 22:50 ` [PATCH v3 07/34] lsm: rename ordered_lsm_init() to lsm_init_ordered() Paul Moore
2025-09-02 16:56 ` John Johansen
2025-08-14 22:50 ` [PATCH v3 08/34] lsm: replace the name field with a pointer to the lsm_id struct Paul Moore
2025-08-14 22:50 ` [PATCH v3 09/34] lsm: rename the lsm order variables for consistency Paul Moore
2025-08-14 22:50 ` [PATCH v3 10/34] lsm: rework lsm_active_cnt and lsm_idlist[] Paul Moore
2025-09-02 17:01 ` John Johansen
2025-08-14 22:50 ` [PATCH v3 11/34] lsm: get rid of the lsm_names list and do some cleanup Paul Moore
2025-08-15 17:00 ` Casey Schaufler
2025-09-02 17:20 ` John Johansen
2025-09-03 20:26 ` Paul Moore
2025-09-03 23:12 ` John Johansen
2025-09-04 8:12 ` Roberto Sassu
2025-09-04 8:48 ` John Johansen [this message]
2025-09-04 15:18 ` Paul Moore
2025-09-04 17:52 ` Paul Moore
2025-08-14 22:50 ` [PATCH v3 12/34] lsm: rework the LSM enable/disable setter/getter functions Paul Moore
2025-09-02 17:39 ` John Johansen
2025-08-14 22:50 ` [PATCH v3 13/34] lsm: rename exists_ordered_lsm() to lsm_order_exists() Paul Moore
2025-09-02 17:42 ` John Johansen
2025-08-14 22:50 ` [PATCH v3 14/34] lsm: rename/rework append_ordered_lsm() into lsm_order_append() Paul Moore
2025-09-03 0:17 ` John Johansen
2025-08-14 22:50 ` [PATCH v3 15/34] lsm: rename/rework ordered_lsm_parse() to lsm_order_parse() Paul Moore
2025-09-03 8:40 ` John Johansen
2025-08-14 22:50 ` [PATCH v3 16/34] lsm: cleanup the LSM blob size code Paul Moore
2025-08-14 22:50 ` [PATCH v3 17/34] lsm: cleanup initialize_lsm() and rename to lsm_init_single() Paul Moore
2025-08-15 17:05 ` Casey Schaufler
2025-08-14 22:50 ` [PATCH v3 18/34] lsm: fold lsm_init_ordered() into security_init() Paul Moore
2025-09-03 8:47 ` John Johansen
2025-08-14 22:50 ` [PATCH v3 19/34] lsm: add/tweak function header comment blocks in lsm_init.c Paul Moore
2025-09-03 8:48 ` John Johansen
2025-08-14 22:50 ` [PATCH v3 20/34] lsm: cleanup the debug and console output " Paul Moore
2025-09-03 10:22 ` John Johansen
2025-08-14 22:50 ` [PATCH v3 21/34] lsm: output available LSMs when debugging Paul Moore
2025-09-03 8:49 ` John Johansen
2025-08-14 22:50 ` [PATCH v3 22/34] lsm: group lsm_order_parse() with the other lsm_order_*() functions Paul Moore
2025-09-02 17:46 ` John Johansen
2025-08-14 22:50 ` [PATCH v3 23/34] lsm: introduce an initcall mechanism into the LSM framework Paul Moore
2025-09-02 17:50 ` John Johansen
2025-08-14 22:50 ` [PATCH v3 24/34] loadpin: move initcalls to " Paul Moore
2025-09-02 17:51 ` John Johansen
2025-08-14 22:50 ` [PATCH v3 25/34] ipe: " Paul Moore
2025-09-02 17:52 ` John Johansen
2025-08-14 22:50 ` [PATCH v3 26/34] smack: " Paul Moore
2025-09-02 18:08 ` John Johansen
2025-08-14 22:50 ` [PATCH v3 27/34] tomoyo: " Paul Moore
2025-09-02 18:09 ` John Johansen
2025-09-03 20:32 ` Paul Moore
2025-09-04 9:52 ` Tetsuo Handa
2025-09-04 15:02 ` Paul Moore
2025-08-14 22:50 ` [PATCH v3 28/34] safesetid: " Paul Moore
2025-09-02 18:10 ` John Johansen
2025-08-14 22:50 ` [PATCH v3 29/34] apparmor: " Paul Moore
2025-09-03 20:34 ` Paul Moore
2025-09-03 23:15 ` John Johansen
2025-09-04 1:28 ` Paul Moore
2025-08-14 22:50 ` [PATCH v3 30/34] lockdown: " Paul Moore
2025-09-02 18:12 ` John Johansen
2025-08-14 22:50 ` [PATCH v3 31/34] ima,evm: " Paul Moore
2025-08-22 20:45 ` Paul Moore
2025-09-02 12:50 ` Roberto Sassu
2025-09-02 12:54 ` [PATCH] " Roberto Sassu
2025-09-03 20:43 ` Paul Moore
2025-08-14 22:50 ` [PATCH v3 32/34] selinux: " Paul Moore
2025-08-14 22:50 ` [PATCH v3 33/34] lsm: consolidate all of the LSM framework initcalls Paul Moore
2025-09-02 18:20 ` John Johansen
2025-08-14 22:50 ` [PATCH v3 34/34] lsm: add a LSM_STARTED_ALL notification event Paul Moore
2025-09-02 18:21 ` John Johansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e92064a4-06c5-4913-917c-f9aca02378f3@canonical.com \
--to=john.johansen@canonical.com \
--cc=casey@schaufler-ca.com \
--cc=gnoack@google.com \
--cc=kees@kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=mortonm@chromium.org \
--cc=nicolas.bouchinet@oss.cyber.gouv.fr \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=roberto.sassu@huawei.com \
--cc=roberto.sassu@huaweicloud.com \
--cc=selinux@vger.kernel.org \
--cc=wufan@kernel.org \
--cc=xiujianfeng@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).