* [RFC PATCH 0/3] LSM: Hook registration exculsivity
From: Casey Schaufler @ 2026-02-25 19:21 UTC (permalink / raw)
To: casey, paul, linux-security-module
Cc: jmorris, serge, keescook, john.johansen, penguin-kernel,
stephen.smalley.work, selinux
In-Reply-To: <20260225192143.14448-1-casey.ref@schaufler-ca.com>
This patch set represents a reasonably radical change to the LSM
stacking model. The notion of an "exclusive" LSM begins to give
way to exclusive LSM hooks. Instead of disallowing more than one
exclusive LSM, individual hooks are marked as exclusive and only
one is allowed to be registered. Subsequent LSMs that attempt to
register these hooks are denied them. This can have consequences.
The hooks relative to secmarks have been used here to demonstrate
that the scheme can work, and that it isn't always as clean as
one might like.
Please comment fully. Quite a bit of tinkering went into devising
this approach, which is intended to address a number of concerns.
Add a flags field to the LSM hook definition.
The first LSM that requests a hook with the LSM_FLAG_EXCLUSIVE flag
will be the only LSM that can register any hook thus marked.
Attempts by other LSMs to register such hooks are ignored.
Direct access to skb->secmark within LSMs are wrapped with a
helper function lsm_secmark_from_skb(). This function checks to see
if the secmark related LSM hooks, which are marked LSM_FLAG_EXCLUSIVE,
are registered by the calling LSM. If they are, the secmark value is
returned. Otherwise, the invalid secmark value 0 is returned.
Future implementations of lsm_secmark_from_skb() could use some
form of secmark encoding that would allow more than one LSM to
use secmarks at the same time.
The LSMs that currently support use of secmarks are taught how to
identify if they are allowed use of the secmark. Each sets secmark values
differently. At initialization the LSMs have the opportunity to
take steps to ensure correct behavior if they don't have secmark access.
https://github.com/cschaufler/lsm-stacking#secmark-6.19-rc8-v1
Casey Schaufler (3):
LSM: add a flags field to the LSM hook definitions
LSM: Enforce exclusive hooks
LSM: Reserve use of secmarks
include/linux/bpf_lsm.h | 2 +-
include/linux/lsm_hook_defs.h | 614 ++++++++++++++++---------------
include/linux/lsm_hooks.h | 4 +-
include/linux/security.h | 3 +
kernel/bpf/bpf_lsm.c | 10 +-
security/apparmor/lsm.c | 24 +-
security/bpf/hooks.c | 2 +-
security/lsm_init.c | 66 ++++
security/security.c | 21 +-
security/selinux/hooks.c | 35 +-
security/selinux/ss/services.c | 3 +
security/smack/smack_lsm.c | 6 +-
security/smack/smack_netfilter.c | 6 +
13 files changed, 473 insertions(+), 323 deletions(-)
--
2.52.0
^ permalink raw reply
* [RFC PATCH 1/3] LSM: add a flags field to the LSM hook definitions
From: Casey Schaufler @ 2026-02-25 19:21 UTC (permalink / raw)
To: casey, paul, linux-security-module
Cc: jmorris, serge, keescook, john.johansen, penguin-kernel,
stephen.smalley.work, selinux
In-Reply-To: <20260225192143.14448-1-casey@schaufler-ca.com>
Add a field for flags to the definition of LSM hooks. This allows
for hooks to be identified at system initialization for special
processing.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/bpf_lsm.h | 2 +-
include/linux/lsm_hook_defs.h | 614 ++++++++++++++++++----------------
include/linux/lsm_hooks.h | 4 +-
kernel/bpf/bpf_lsm.c | 10 +-
security/bpf/hooks.c | 2 +-
security/security.c | 6 +-
6 files changed, 331 insertions(+), 307 deletions(-)
diff --git a/include/linux/bpf_lsm.h b/include/linux/bpf_lsm.h
index 643809cc78c3..d71ba8c87e79 100644
--- a/include/linux/bpf_lsm.h
+++ b/include/linux/bpf_lsm.h
@@ -14,7 +14,7 @@
#ifdef CONFIG_BPF_LSM
-#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
+#define LSM_HOOK(RET, DEFAULT, FLAGS, NAME, ...) \
RET bpf_lsm_##NAME(__VA_ARGS__);
#include <linux/lsm_hook_defs.h>
#undef LSM_HOOK
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 8c42b4bde09c..acda3a02da97 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -18,451 +18,475 @@
* The macro LSM_HOOK is used to define the data structures required by
* the LSM framework using the pattern:
*
- * LSM_HOOK(<return_type>, <default_value>, <hook_name>, args...)
+ * LSM_HOOK(<return_type>, <default_value>, <flags>, <single>,
+ * <hook_name>, args...)
*
* struct security_hook_heads {
- * #define LSM_HOOK(RET, DEFAULT, NAME, ...) struct hlist_head NAME;
+ * #define LSM_HOOK(RET, DEFAULT, FLAGS, NAME, ...) struct hlist_head NAME;
* #include <linux/lsm_hook_defs.h>
* #undef LSM_HOOK
* };
*/
-LSM_HOOK(int, 0, binder_set_context_mgr, const struct cred *mgr)
-LSM_HOOK(int, 0, binder_transaction, const struct cred *from,
+LSM_HOOK(int, 0, 0, binder_set_context_mgr, const struct cred *mgr)
+LSM_HOOK(int, 0, 0, binder_transaction, const struct cred *from,
const struct cred *to)
-LSM_HOOK(int, 0, binder_transfer_binder, const struct cred *from,
+LSM_HOOK(int, 0, 0, binder_transfer_binder, const struct cred *from,
const struct cred *to)
-LSM_HOOK(int, 0, binder_transfer_file, const struct cred *from,
+LSM_HOOK(int, 0, 0, binder_transfer_file, const struct cred *from,
const struct cred *to, const struct file *file)
-LSM_HOOK(int, 0, ptrace_access_check, struct task_struct *child,
+LSM_HOOK(int, 0, 0, ptrace_access_check, struct task_struct *child,
unsigned int mode)
-LSM_HOOK(int, 0, ptrace_traceme, struct task_struct *parent)
-LSM_HOOK(int, 0, capget, const struct task_struct *target, kernel_cap_t *effective,
- kernel_cap_t *inheritable, kernel_cap_t *permitted)
-LSM_HOOK(int, 0, capset, struct cred *new, const struct cred *old,
+LSM_HOOK(int, 0, 0, ptrace_traceme, struct task_struct *parent)
+LSM_HOOK(int, 0, 0, capget, const struct task_struct *target,
+ kernel_cap_t *effective, kernel_cap_t *inheritable,
+ kernel_cap_t *permitted)
+LSM_HOOK(int, 0, 0, capset, struct cred *new, const struct cred *old,
const kernel_cap_t *effective, const kernel_cap_t *inheritable,
const kernel_cap_t *permitted)
-LSM_HOOK(int, 0, capable, const struct cred *cred, struct user_namespace *ns,
- int cap, unsigned int opts)
-LSM_HOOK(int, 0, quotactl, int cmds, int type, int id, const struct super_block *sb)
-LSM_HOOK(int, 0, quota_on, struct dentry *dentry)
-LSM_HOOK(int, 0, syslog, int type)
-LSM_HOOK(int, 0, settime, const struct timespec64 *ts,
+LSM_HOOK(int, 0, 0, capable, const struct cred *cred,
+ struct user_namespace *ns, int cap, unsigned int opts)
+LSM_HOOK(int, 0, 0, quotactl, int cmds, int type, int id,
+ const struct super_block *sb)
+LSM_HOOK(int, 0, 0, quota_on, struct dentry *dentry)
+LSM_HOOK(int, 0, 0, syslog, int type)
+LSM_HOOK(int, 0, 0, settime, const struct timespec64 *ts,
const struct timezone *tz)
-LSM_HOOK(int, 0, vm_enough_memory, struct mm_struct *mm, long pages)
-LSM_HOOK(int, 0, bprm_creds_for_exec, struct linux_binprm *bprm)
-LSM_HOOK(int, 0, bprm_creds_from_file, struct linux_binprm *bprm, const struct file *file)
-LSM_HOOK(int, 0, bprm_check_security, struct linux_binprm *bprm)
-LSM_HOOK(void, LSM_RET_VOID, bprm_committing_creds, const struct linux_binprm *bprm)
-LSM_HOOK(void, LSM_RET_VOID, bprm_committed_creds, const struct linux_binprm *bprm)
-LSM_HOOK(int, 0, fs_context_submount, struct fs_context *fc, struct super_block *reference)
-LSM_HOOK(int, 0, fs_context_dup, struct fs_context *fc,
+LSM_HOOK(int, 0, 0, vm_enough_memory, struct mm_struct *mm, long pages)
+LSM_HOOK(int, 0, 0, bprm_creds_for_exec, struct linux_binprm *bprm)
+LSM_HOOK(int, 0, 0, bprm_creds_from_file, struct linux_binprm *bprm,
+ const struct file *file)
+LSM_HOOK(int, 0, 0, bprm_check_security, struct linux_binprm *bprm)
+LSM_HOOK(void, LSM_RET_VOID, 0, bprm_committing_creds,
+ const struct linux_binprm *bprm)
+LSM_HOOK(void, LSM_RET_VOID, 0, bprm_committed_creds,
+ const struct linux_binprm *bprm)
+LSM_HOOK(int, 0, 0, fs_context_submount, struct fs_context *fc,
+ struct super_block *reference)
+LSM_HOOK(int, 0, 0, fs_context_dup, struct fs_context *fc,
struct fs_context *src_sc)
-LSM_HOOK(int, -ENOPARAM, fs_context_parse_param, struct fs_context *fc,
+LSM_HOOK(int, -ENOPARAM, 0, fs_context_parse_param, struct fs_context *fc,
struct fs_parameter *param)
-LSM_HOOK(int, 0, sb_alloc_security, struct super_block *sb)
-LSM_HOOK(void, LSM_RET_VOID, sb_delete, struct super_block *sb)
-LSM_HOOK(void, LSM_RET_VOID, sb_free_security, struct super_block *sb)
-LSM_HOOK(void, LSM_RET_VOID, sb_free_mnt_opts, void *mnt_opts)
-LSM_HOOK(int, 0, sb_eat_lsm_opts, char *orig, void **mnt_opts)
-LSM_HOOK(int, 0, sb_mnt_opts_compat, struct super_block *sb, void *mnt_opts)
-LSM_HOOK(int, 0, sb_remount, struct super_block *sb, void *mnt_opts)
-LSM_HOOK(int, 0, sb_kern_mount, const struct super_block *sb)
-LSM_HOOK(int, 0, sb_show_options, struct seq_file *m, struct super_block *sb)
-LSM_HOOK(int, 0, sb_statfs, struct dentry *dentry)
-LSM_HOOK(int, 0, sb_mount, const char *dev_name, const struct path *path,
+LSM_HOOK(int, 0, 0, sb_alloc_security, struct super_block *sb)
+LSM_HOOK(void, LSM_RET_VOID, 0, sb_delete, struct super_block *sb)
+LSM_HOOK(void, LSM_RET_VOID, 0, sb_free_security, struct super_block *sb)
+LSM_HOOK(void, LSM_RET_VOID, 0, sb_free_mnt_opts, void *mnt_opts)
+LSM_HOOK(int, 0, 0, sb_eat_lsm_opts, char *orig, void **mnt_opts)
+LSM_HOOK(int, 0, 0, sb_mnt_opts_compat, struct super_block *sb, void *mnt_opts)
+LSM_HOOK(int, 0, 0, sb_remount, struct super_block *sb, void *mnt_opts)
+LSM_HOOK(int, 0, 0, sb_kern_mount, const struct super_block *sb)
+LSM_HOOK(int, 0, 0, sb_show_options, struct seq_file *m, struct super_block *sb)
+LSM_HOOK(int, 0, 0, sb_statfs, struct dentry *dentry)
+LSM_HOOK(int, 0, 0, sb_mount, const char *dev_name, const struct path *path,
const char *type, unsigned long flags, void *data)
-LSM_HOOK(int, 0, sb_umount, struct vfsmount *mnt, int flags)
-LSM_HOOK(int, 0, sb_pivotroot, const struct path *old_path,
+LSM_HOOK(int, 0, 0, sb_umount, struct vfsmount *mnt, int flags)
+LSM_HOOK(int, 0, 0, sb_pivotroot, const struct path *old_path,
const struct path *new_path)
-LSM_HOOK(int, 0, sb_set_mnt_opts, struct super_block *sb, void *mnt_opts,
+LSM_HOOK(int, 0, 0, sb_set_mnt_opts, struct super_block *sb, void *mnt_opts,
unsigned long kern_flags, unsigned long *set_kern_flags)
-LSM_HOOK(int, 0, sb_clone_mnt_opts, const struct super_block *oldsb,
+LSM_HOOK(int, 0, 0, sb_clone_mnt_opts, const struct super_block *oldsb,
struct super_block *newsb, unsigned long kern_flags,
unsigned long *set_kern_flags)
-LSM_HOOK(int, 0, move_mount, const struct path *from_path,
+LSM_HOOK(int, 0, 0, move_mount, const struct path *from_path,
const struct path *to_path)
-LSM_HOOK(int, -EOPNOTSUPP, dentry_init_security, struct dentry *dentry,
+LSM_HOOK(int, -EOPNOTSUPP, 0, dentry_init_security, struct dentry *dentry,
int mode, const struct qstr *name, const char **xattr_name,
struct lsm_context *cp)
-LSM_HOOK(int, 0, dentry_create_files_as, struct dentry *dentry, int mode,
+LSM_HOOK(int, 0, 0, dentry_create_files_as, struct dentry *dentry, int mode,
const struct qstr *name, const struct cred *old, struct cred *new)
#ifdef CONFIG_SECURITY_PATH
-LSM_HOOK(int, 0, path_unlink, const struct path *dir, struct dentry *dentry)
-LSM_HOOK(int, 0, path_mkdir, const struct path *dir, struct dentry *dentry,
+LSM_HOOK(int, 0, 0, path_unlink, const struct path *dir, struct dentry *dentry)
+LSM_HOOK(int, 0, 0, path_mkdir, const struct path *dir, struct dentry *dentry,
umode_t mode)
-LSM_HOOK(int, 0, path_rmdir, const struct path *dir, struct dentry *dentry)
-LSM_HOOK(int, 0, path_mknod, const struct path *dir, struct dentry *dentry,
+LSM_HOOK(int, 0, 0, path_rmdir, const struct path *dir, struct dentry *dentry)
+LSM_HOOK(int, 0, 0, path_mknod, const struct path *dir, struct dentry *dentry,
umode_t mode, unsigned int dev)
-LSM_HOOK(void, LSM_RET_VOID, path_post_mknod, struct mnt_idmap *idmap,
+LSM_HOOK(void, LSM_RET_VOID, 0, path_post_mknod, struct mnt_idmap *idmap,
struct dentry *dentry)
-LSM_HOOK(int, 0, path_truncate, const struct path *path)
-LSM_HOOK(int, 0, path_symlink, const struct path *dir, struct dentry *dentry,
- const char *old_name)
-LSM_HOOK(int, 0, path_link, struct dentry *old_dentry,
+LSM_HOOK(int, 0, 0, path_truncate, const struct path *path)
+LSM_HOOK(int, 0, 0, path_symlink, const struct path *dir,
+ struct dentry *dentry, const char *old_name)
+LSM_HOOK(int, 0, 0, path_link, struct dentry *old_dentry,
const struct path *new_dir, struct dentry *new_dentry)
-LSM_HOOK(int, 0, path_rename, const struct path *old_dir,
+LSM_HOOK(int, 0, 0, path_rename, const struct path *old_dir,
struct dentry *old_dentry, const struct path *new_dir,
struct dentry *new_dentry, unsigned int flags)
-LSM_HOOK(int, 0, path_chmod, const struct path *path, umode_t mode)
-LSM_HOOK(int, 0, path_chown, const struct path *path, kuid_t uid, kgid_t gid)
-LSM_HOOK(int, 0, path_chroot, const struct path *path)
+LSM_HOOK(int, 0, 0, path_chmod, const struct path *path, umode_t mode)
+LSM_HOOK(int, 0, 0, path_chown, const struct path *path, kuid_t uid, kgid_t gid)
+LSM_HOOK(int, 0, 0, path_chroot, const struct path *path)
#endif /* CONFIG_SECURITY_PATH */
/* Needed for inode based security check */
-LSM_HOOK(int, 0, path_notify, const struct path *path, u64 mask,
+LSM_HOOK(int, 0, 0, path_notify, const struct path *path, u64 mask,
unsigned int obj_type)
-LSM_HOOK(int, 0, inode_alloc_security, struct inode *inode)
-LSM_HOOK(void, LSM_RET_VOID, inode_free_security, struct inode *inode)
-LSM_HOOK(void, LSM_RET_VOID, inode_free_security_rcu, void *inode_security)
-LSM_HOOK(int, -EOPNOTSUPP, inode_init_security, struct inode *inode,
+LSM_HOOK(int, 0, 0, inode_alloc_security, struct inode *inode)
+LSM_HOOK(void, LSM_RET_VOID, 0, inode_free_security, struct inode *inode)
+LSM_HOOK(void, LSM_RET_VOID, 0, inode_free_security_rcu, void *inode_security)
+LSM_HOOK(int, -EOPNOTSUPP, 0, inode_init_security, struct inode *inode,
struct inode *dir, const struct qstr *qstr, struct xattr *xattrs,
int *xattr_count)
-LSM_HOOK(int, 0, inode_init_security_anon, struct inode *inode,
+LSM_HOOK(int, 0, 0, inode_init_security_anon, struct inode *inode,
const struct qstr *name, const struct inode *context_inode)
-LSM_HOOK(int, 0, inode_create, struct inode *dir, struct dentry *dentry,
+LSM_HOOK(int, 0, 0, inode_create, struct inode *dir, struct dentry *dentry,
umode_t mode)
-LSM_HOOK(void, LSM_RET_VOID, inode_post_create_tmpfile, struct mnt_idmap *idmap,
- struct inode *inode)
-LSM_HOOK(int, 0, inode_link, struct dentry *old_dentry, struct inode *dir,
+LSM_HOOK(void, LSM_RET_VOID, 0, inode_post_create_tmpfile,
+ struct mnt_idmap *idmap, struct inode *inode)
+LSM_HOOK(int, 0, 0, inode_link, struct dentry *old_dentry, struct inode *dir,
struct dentry *new_dentry)
-LSM_HOOK(int, 0, inode_unlink, struct inode *dir, struct dentry *dentry)
-LSM_HOOK(int, 0, inode_symlink, struct inode *dir, struct dentry *dentry,
+LSM_HOOK(int, 0, 0, inode_unlink, struct inode *dir, struct dentry *dentry)
+LSM_HOOK(int, 0, 0, inode_symlink, struct inode *dir, struct dentry *dentry,
const char *old_name)
-LSM_HOOK(int, 0, inode_mkdir, struct inode *dir, struct dentry *dentry,
+LSM_HOOK(int, 0, 0, inode_mkdir, struct inode *dir, struct dentry *dentry,
umode_t mode)
-LSM_HOOK(int, 0, inode_rmdir, struct inode *dir, struct dentry *dentry)
-LSM_HOOK(int, 0, inode_mknod, struct inode *dir, struct dentry *dentry,
+LSM_HOOK(int, 0, 0, inode_rmdir, struct inode *dir, struct dentry *dentry)
+LSM_HOOK(int, 0, 0, inode_mknod, struct inode *dir, struct dentry *dentry,
umode_t mode, dev_t dev)
-LSM_HOOK(int, 0, inode_rename, struct inode *old_dir, struct dentry *old_dentry,
- struct inode *new_dir, struct dentry *new_dentry)
-LSM_HOOK(int, 0, inode_readlink, struct dentry *dentry)
-LSM_HOOK(int, 0, inode_follow_link, struct dentry *dentry, struct inode *inode,
- bool rcu)
-LSM_HOOK(int, 0, inode_permission, struct inode *inode, int mask)
-LSM_HOOK(int, 0, inode_setattr, struct mnt_idmap *idmap, struct dentry *dentry,
- struct iattr *attr)
-LSM_HOOK(void, LSM_RET_VOID, inode_post_setattr, struct mnt_idmap *idmap,
+LSM_HOOK(int, 0, 0, inode_rename, struct inode *old_dir,
+ struct dentry *old_dentry, struct inode *new_dir,
+ struct dentry *new_dentry)
+LSM_HOOK(int, 0, 0, inode_readlink, struct dentry *dentry)
+LSM_HOOK(int, 0, 0, inode_follow_link, struct dentry *dentry,
+ struct inode *inode, bool rcu)
+LSM_HOOK(int, 0, 0, inode_permission, struct inode *inode, int mask)
+LSM_HOOK(int, 0, 0, inode_setattr, struct mnt_idmap *idmap, struct dentry *dentry, struct iattr *attr)
+LSM_HOOK(void, LSM_RET_VOID, 0, inode_post_setattr, struct mnt_idmap *idmap,
struct dentry *dentry, int ia_valid)
-LSM_HOOK(int, 0, inode_getattr, const struct path *path)
-LSM_HOOK(int, 0, inode_xattr_skipcap, const char *name)
-LSM_HOOK(int, 0, inode_setxattr, struct mnt_idmap *idmap,
+LSM_HOOK(int, 0, 0, inode_getattr, const struct path *path)
+LSM_HOOK(int, 0, 0, inode_xattr_skipcap, const char *name)
+LSM_HOOK(int, 0, 0, inode_setxattr, struct mnt_idmap *idmap,
struct dentry *dentry, const char *name, const void *value,
size_t size, int flags)
-LSM_HOOK(void, LSM_RET_VOID, inode_post_setxattr, struct dentry *dentry,
+LSM_HOOK(void, LSM_RET_VOID, 0, inode_post_setxattr, struct dentry *dentry,
const char *name, const void *value, size_t size, int flags)
-LSM_HOOK(int, 0, inode_getxattr, struct dentry *dentry, const char *name)
-LSM_HOOK(int, 0, inode_listxattr, struct dentry *dentry)
-LSM_HOOK(int, 0, inode_removexattr, struct mnt_idmap *idmap,
+LSM_HOOK(int, 0, 0, inode_getxattr, struct dentry *dentry, const char *name)
+LSM_HOOK(int, 0, 0, inode_listxattr, struct dentry *dentry)
+LSM_HOOK(int, 0, 0, inode_removexattr, struct mnt_idmap *idmap,
struct dentry *dentry, const char *name)
-LSM_HOOK(void, LSM_RET_VOID, inode_post_removexattr, struct dentry *dentry,
+LSM_HOOK(void, LSM_RET_VOID, 0, inode_post_removexattr, struct dentry *dentry,
const char *name)
-LSM_HOOK(int, 0, inode_file_setattr, struct dentry *dentry, struct file_kattr *fa)
-LSM_HOOK(int, 0, inode_file_getattr, struct dentry *dentry, struct file_kattr *fa)
-LSM_HOOK(int, 0, inode_set_acl, struct mnt_idmap *idmap,
+LSM_HOOK(int, 0, 0, inode_file_setattr, struct dentry *dentry,
+ struct file_kattr *fa)
+LSM_HOOK(int, 0, 0, inode_file_getattr, struct dentry *dentry,
+ struct file_kattr *fa)
+LSM_HOOK(int, 0, 0, inode_set_acl, struct mnt_idmap *idmap,
struct dentry *dentry, const char *acl_name, struct posix_acl *kacl)
-LSM_HOOK(void, LSM_RET_VOID, inode_post_set_acl, struct dentry *dentry,
+LSM_HOOK(void, LSM_RET_VOID, 0, inode_post_set_acl, struct dentry *dentry,
const char *acl_name, struct posix_acl *kacl)
-LSM_HOOK(int, 0, inode_get_acl, struct mnt_idmap *idmap,
+LSM_HOOK(int, 0, 0, inode_get_acl, struct mnt_idmap *idmap,
struct dentry *dentry, const char *acl_name)
-LSM_HOOK(int, 0, inode_remove_acl, struct mnt_idmap *idmap,
+LSM_HOOK(int, 0, 0, inode_remove_acl, struct mnt_idmap *idmap,
struct dentry *dentry, const char *acl_name)
-LSM_HOOK(void, LSM_RET_VOID, inode_post_remove_acl, struct mnt_idmap *idmap,
+LSM_HOOK(void, LSM_RET_VOID, 0, inode_post_remove_acl, struct mnt_idmap *idmap,
struct dentry *dentry, const char *acl_name)
-LSM_HOOK(int, 0, inode_need_killpriv, struct dentry *dentry)
-LSM_HOOK(int, 0, inode_killpriv, struct mnt_idmap *idmap,
+LSM_HOOK(int, 0, 0, inode_need_killpriv, struct dentry *dentry)
+LSM_HOOK(int, 0, 0, inode_killpriv, struct mnt_idmap *idmap,
struct dentry *dentry)
-LSM_HOOK(int, -EOPNOTSUPP, inode_getsecurity, struct mnt_idmap *idmap,
+LSM_HOOK(int, -EOPNOTSUPP, 0, inode_getsecurity, struct mnt_idmap *idmap,
struct inode *inode, const char *name, void **buffer, bool alloc)
-LSM_HOOK(int, -EOPNOTSUPP, inode_setsecurity, struct inode *inode,
+LSM_HOOK(int, -EOPNOTSUPP, 0, inode_setsecurity, struct inode *inode,
const char *name, const void *value, size_t size, int flags)
-LSM_HOOK(int, 0, inode_listsecurity, struct inode *inode, char *buffer,
+LSM_HOOK(int, 0, 0, inode_listsecurity, struct inode *inode, char *buffer,
size_t buffer_size)
-LSM_HOOK(void, LSM_RET_VOID, inode_getlsmprop, struct inode *inode,
+LSM_HOOK(void, LSM_RET_VOID, 0, inode_getlsmprop, struct inode *inode,
struct lsm_prop *prop)
-LSM_HOOK(int, 0, inode_copy_up, struct dentry *src, struct cred **new)
-LSM_HOOK(int, -EOPNOTSUPP, inode_copy_up_xattr, struct dentry *src,
+LSM_HOOK(int, 0, 0, inode_copy_up, struct dentry *src, struct cred **new)
+LSM_HOOK(int, -EOPNOTSUPP, 0, inode_copy_up_xattr, struct dentry *src,
const char *name)
-LSM_HOOK(int, 0, inode_setintegrity, const struct inode *inode,
+LSM_HOOK(int, 0, 0, inode_setintegrity, const struct inode *inode,
enum lsm_integrity_type type, const void *value, size_t size)
-LSM_HOOK(int, 0, kernfs_init_security, struct kernfs_node *kn_dir,
+LSM_HOOK(int, 0, 0, kernfs_init_security, struct kernfs_node *kn_dir,
struct kernfs_node *kn)
-LSM_HOOK(int, 0, file_permission, struct file *file, int mask)
-LSM_HOOK(int, 0, file_alloc_security, struct file *file)
-LSM_HOOK(void, LSM_RET_VOID, file_release, struct file *file)
-LSM_HOOK(void, LSM_RET_VOID, file_free_security, struct file *file)
-LSM_HOOK(int, 0, file_ioctl, struct file *file, unsigned int cmd,
+LSM_HOOK(int, 0, 0, file_permission, struct file *file, int mask)
+LSM_HOOK(int, 0, 0, file_alloc_security, struct file *file)
+LSM_HOOK(void, LSM_RET_VOID, 0, file_release, struct file *file)
+LSM_HOOK(void, LSM_RET_VOID, 0, file_free_security, struct file *file)
+LSM_HOOK(int, 0, 0, file_ioctl, struct file *file, unsigned int cmd,
unsigned long arg)
-LSM_HOOK(int, 0, file_ioctl_compat, struct file *file, unsigned int cmd,
+LSM_HOOK(int, 0, 0, file_ioctl_compat, struct file *file, unsigned int cmd,
unsigned long arg)
-LSM_HOOK(int, 0, mmap_addr, unsigned long addr)
-LSM_HOOK(int, 0, mmap_file, struct file *file, unsigned long reqprot,
+LSM_HOOK(int, 0, 0, mmap_addr, unsigned long addr)
+LSM_HOOK(int, 0, 0, mmap_file, struct file *file, unsigned long reqprot,
unsigned long prot, unsigned long flags)
-LSM_HOOK(int, 0, file_mprotect, struct vm_area_struct *vma,
+LSM_HOOK(int, 0, 0, file_mprotect, struct vm_area_struct *vma,
unsigned long reqprot, unsigned long prot)
-LSM_HOOK(int, 0, file_lock, struct file *file, unsigned int cmd)
-LSM_HOOK(int, 0, file_fcntl, struct file *file, unsigned int cmd,
+LSM_HOOK(int, 0, 0, file_lock, struct file *file, unsigned int cmd)
+LSM_HOOK(int, 0, 0, file_fcntl, struct file *file, unsigned int cmd,
unsigned long arg)
-LSM_HOOK(void, LSM_RET_VOID, file_set_fowner, struct file *file)
-LSM_HOOK(int, 0, file_send_sigiotask, struct task_struct *tsk,
+LSM_HOOK(void, LSM_RET_VOID, 0, file_set_fowner, struct file *file)
+LSM_HOOK(int, 0, 0, file_send_sigiotask, struct task_struct *tsk,
struct fown_struct *fown, int sig)
-LSM_HOOK(int, 0, file_receive, struct file *file)
-LSM_HOOK(int, 0, file_open, struct file *file)
-LSM_HOOK(int, 0, file_post_open, struct file *file, int mask)
-LSM_HOOK(int, 0, file_truncate, struct file *file)
-LSM_HOOK(int, 0, task_alloc, struct task_struct *task,
- u64 clone_flags)
-LSM_HOOK(void, LSM_RET_VOID, task_free, struct task_struct *task)
-LSM_HOOK(int, 0, cred_alloc_blank, struct cred *cred, gfp_t gfp)
-LSM_HOOK(void, LSM_RET_VOID, cred_free, struct cred *cred)
-LSM_HOOK(int, 0, cred_prepare, struct cred *new, const struct cred *old,
+LSM_HOOK(int, 0, 0, file_receive, struct file *file)
+LSM_HOOK(int, 0, 0, file_open, struct file *file)
+LSM_HOOK(int, 0, 0, file_post_open, struct file *file, int mask)
+LSM_HOOK(int, 0, 0, file_truncate, struct file *file)
+LSM_HOOK(int, 0, 0, task_alloc, struct task_struct *task, u64 clone_flags)
+LSM_HOOK(void, LSM_RET_VOID, 0, task_free, struct task_struct *task)
+LSM_HOOK(int, 0, 0, cred_alloc_blank, struct cred *cred, gfp_t gfp)
+LSM_HOOK(void, LSM_RET_VOID, 0, cred_free, struct cred *cred)
+LSM_HOOK(int, 0, 0, cred_prepare, struct cred *new, const struct cred *old,
gfp_t gfp)
-LSM_HOOK(void, LSM_RET_VOID, cred_transfer, struct cred *new,
+LSM_HOOK(void, LSM_RET_VOID, 0, cred_transfer, struct cred *new,
const struct cred *old)
-LSM_HOOK(void, LSM_RET_VOID, cred_getsecid, const struct cred *c, u32 *secid)
-LSM_HOOK(void, LSM_RET_VOID, cred_getlsmprop, const struct cred *c,
+LSM_HOOK(void, LSM_RET_VOID, 0, cred_getsecid, const struct cred *c, u32 *secid)
+LSM_HOOK(void, LSM_RET_VOID, 0, cred_getlsmprop, const struct cred *c,
struct lsm_prop *prop)
-LSM_HOOK(int, 0, kernel_act_as, struct cred *new, u32 secid)
-LSM_HOOK(int, 0, kernel_create_files_as, struct cred *new, struct inode *inode)
-LSM_HOOK(int, 0, kernel_module_request, char *kmod_name)
-LSM_HOOK(int, 0, kernel_load_data, enum kernel_load_data_id id, bool contents)
-LSM_HOOK(int, 0, kernel_post_load_data, char *buf, loff_t size,
+LSM_HOOK(int, 0, 0, kernel_act_as, struct cred *new, u32 secid)
+LSM_HOOK(int, 0, 0, kernel_create_files_as, struct cred *new,
+ struct inode *inode)
+LSM_HOOK(int, 0, 0, kernel_module_request, char *kmod_name)
+LSM_HOOK(int, 0, 0, kernel_load_data, enum kernel_load_data_id id,
+ bool contents)
+LSM_HOOK(int, 0, 0, kernel_post_load_data, char *buf, loff_t size,
enum kernel_load_data_id id, char *description)
-LSM_HOOK(int, 0, kernel_read_file, struct file *file,
+LSM_HOOK(int, 0, 0, kernel_read_file, struct file *file,
enum kernel_read_file_id id, bool contents)
-LSM_HOOK(int, 0, kernel_post_read_file, struct file *file, char *buf,
+LSM_HOOK(int, 0, 0, kernel_post_read_file, struct file *file, char *buf,
loff_t size, enum kernel_read_file_id id)
-LSM_HOOK(int, 0, task_fix_setuid, struct cred *new, const struct cred *old,
+LSM_HOOK(int, 0, 0, task_fix_setuid, struct cred *new, const struct cred *old,
int flags)
-LSM_HOOK(int, 0, task_fix_setgid, struct cred *new, const struct cred * old,
+LSM_HOOK(int, 0, 0, task_fix_setgid, struct cred *new, const struct cred *old,
int flags)
-LSM_HOOK(int, 0, task_fix_setgroups, struct cred *new, const struct cred * old)
-LSM_HOOK(int, 0, task_setpgid, struct task_struct *p, pid_t pgid)
-LSM_HOOK(int, 0, task_getpgid, struct task_struct *p)
-LSM_HOOK(int, 0, task_getsid, struct task_struct *p)
-LSM_HOOK(void, LSM_RET_VOID, current_getlsmprop_subj, struct lsm_prop *prop)
-LSM_HOOK(void, LSM_RET_VOID, task_getlsmprop_obj,
- struct task_struct *p, struct lsm_prop *prop)
-LSM_HOOK(int, 0, task_setnice, struct task_struct *p, int nice)
-LSM_HOOK(int, 0, task_setioprio, struct task_struct *p, int ioprio)
-LSM_HOOK(int, 0, task_getioprio, struct task_struct *p)
-LSM_HOOK(int, 0, task_prlimit, const struct cred *cred,
+LSM_HOOK(int, 0, 0, task_fix_setgroups, struct cred *new,
+ const struct cred *old)
+LSM_HOOK(int, 0, 0, task_setpgid, struct task_struct *p, pid_t pgid)
+LSM_HOOK(int, 0, 0, task_getpgid, struct task_struct *p)
+LSM_HOOK(int, 0, 0, task_getsid, struct task_struct *p)
+LSM_HOOK(void, LSM_RET_VOID, 0, current_getlsmprop_subj, struct lsm_prop *prop)
+LSM_HOOK(void, LSM_RET_VOID, 0, task_getlsmprop_obj, struct task_struct *p,
+ struct lsm_prop *prop)
+LSM_HOOK(int, 0, 0, task_setnice, struct task_struct *p, int nice)
+LSM_HOOK(int, 0, 0, task_setioprio, struct task_struct *p, int ioprio)
+LSM_HOOK(int, 0, 0, task_getioprio, struct task_struct *p)
+LSM_HOOK(int, 0, 0, task_prlimit, const struct cred *cred,
const struct cred *tcred, unsigned int flags)
-LSM_HOOK(int, 0, task_setrlimit, struct task_struct *p, unsigned int resource,
- struct rlimit *new_rlim)
-LSM_HOOK(int, 0, task_setscheduler, struct task_struct *p)
-LSM_HOOK(int, 0, task_getscheduler, struct task_struct *p)
-LSM_HOOK(int, 0, task_movememory, struct task_struct *p)
-LSM_HOOK(int, 0, task_kill, struct task_struct *p, struct kernel_siginfo *info,
- int sig, const struct cred *cred)
-LSM_HOOK(int, -ENOSYS, task_prctl, int option, unsigned long arg2,
+LSM_HOOK(int, 0, 0, task_setrlimit, struct task_struct *p,
+ unsigned int resource, struct rlimit *new_rlim)
+LSM_HOOK(int, 0, 0, task_setscheduler, struct task_struct *p)
+LSM_HOOK(int, 0, 0, task_getscheduler, struct task_struct *p)
+LSM_HOOK(int, 0, 0, task_movememory, struct task_struct *p)
+LSM_HOOK(int, 0, 0, task_kill, struct task_struct *p,
+ struct kernel_siginfo *info, int sig, const struct cred *cred)
+LSM_HOOK(int, -ENOSYS, 0, task_prctl, int option, unsigned long arg2,
unsigned long arg3, unsigned long arg4, unsigned long arg5)
-LSM_HOOK(void, LSM_RET_VOID, task_to_inode, struct task_struct *p,
+LSM_HOOK(void, LSM_RET_VOID, 0, task_to_inode, struct task_struct *p,
struct inode *inode)
-LSM_HOOK(int, 0, userns_create, const struct cred *cred)
-LSM_HOOK(int, 0, ipc_permission, struct kern_ipc_perm *ipcp, short flag)
-LSM_HOOK(void, LSM_RET_VOID, ipc_getlsmprop, struct kern_ipc_perm *ipcp,
+LSM_HOOK(int, 0, 0, userns_create, const struct cred *cred)
+LSM_HOOK(int, 0, 0, ipc_permission, struct kern_ipc_perm *ipcp, short flag)
+LSM_HOOK(void, LSM_RET_VOID, 0, ipc_getlsmprop, struct kern_ipc_perm *ipcp,
struct lsm_prop *prop)
-LSM_HOOK(int, 0, msg_msg_alloc_security, struct msg_msg *msg)
-LSM_HOOK(void, LSM_RET_VOID, msg_msg_free_security, struct msg_msg *msg)
-LSM_HOOK(int, 0, msg_queue_alloc_security, struct kern_ipc_perm *perm)
-LSM_HOOK(void, LSM_RET_VOID, msg_queue_free_security,
+LSM_HOOK(int, 0, 0, msg_msg_alloc_security, struct msg_msg *msg)
+LSM_HOOK(void, LSM_RET_VOID, 0, msg_msg_free_security, struct msg_msg *msg)
+LSM_HOOK(int, 0, 0, msg_queue_alloc_security, struct kern_ipc_perm *perm)
+LSM_HOOK(void, LSM_RET_VOID, 0, msg_queue_free_security,
struct kern_ipc_perm *perm)
-LSM_HOOK(int, 0, msg_queue_associate, struct kern_ipc_perm *perm, int msqflg)
-LSM_HOOK(int, 0, msg_queue_msgctl, struct kern_ipc_perm *perm, int cmd)
-LSM_HOOK(int, 0, msg_queue_msgsnd, struct kern_ipc_perm *perm,
+LSM_HOOK(int, 0, 0, msg_queue_associate, struct kern_ipc_perm *perm, int msqflg)
+LSM_HOOK(int, 0, 0, msg_queue_msgctl, struct kern_ipc_perm *perm, int cmd)
+LSM_HOOK(int, 0, 0, msg_queue_msgsnd, struct kern_ipc_perm *perm,
struct msg_msg *msg, int msqflg)
-LSM_HOOK(int, 0, msg_queue_msgrcv, struct kern_ipc_perm *perm,
+LSM_HOOK(int, 0, 0, msg_queue_msgrcv, struct kern_ipc_perm *perm,
struct msg_msg *msg, struct task_struct *target, long type, int mode)
-LSM_HOOK(int, 0, shm_alloc_security, struct kern_ipc_perm *perm)
-LSM_HOOK(void, LSM_RET_VOID, shm_free_security, struct kern_ipc_perm *perm)
-LSM_HOOK(int, 0, shm_associate, struct kern_ipc_perm *perm, int shmflg)
-LSM_HOOK(int, 0, shm_shmctl, struct kern_ipc_perm *perm, int cmd)
-LSM_HOOK(int, 0, shm_shmat, struct kern_ipc_perm *perm, char __user *shmaddr,
- int shmflg)
-LSM_HOOK(int, 0, sem_alloc_security, struct kern_ipc_perm *perm)
-LSM_HOOK(void, LSM_RET_VOID, sem_free_security, struct kern_ipc_perm *perm)
-LSM_HOOK(int, 0, sem_associate, struct kern_ipc_perm *perm, int semflg)
-LSM_HOOK(int, 0, sem_semctl, struct kern_ipc_perm *perm, int cmd)
-LSM_HOOK(int, 0, sem_semop, struct kern_ipc_perm *perm, struct sembuf *sops,
+LSM_HOOK(int, 0, 0, shm_alloc_security, struct kern_ipc_perm *perm)
+LSM_HOOK(void, LSM_RET_VOID, 0, shm_free_security, struct kern_ipc_perm *perm)
+LSM_HOOK(int, 0, 0, shm_associate, struct kern_ipc_perm *perm, int shmflg)
+LSM_HOOK(int, 0, 0, shm_shmctl, struct kern_ipc_perm *perm, int cmd)
+LSM_HOOK(int, 0, 0, shm_shmat, struct kern_ipc_perm *perm,
+ char __user *shmaddr, int shmflg)
+LSM_HOOK(int, 0, 0, sem_alloc_security, struct kern_ipc_perm *perm)
+LSM_HOOK(void, LSM_RET_VOID, 0, sem_free_security, struct kern_ipc_perm *perm)
+LSM_HOOK(int, 0, 0, sem_associate, struct kern_ipc_perm *perm, int semflg)
+LSM_HOOK(int, 0, 0, sem_semctl, struct kern_ipc_perm *perm, int cmd)
+LSM_HOOK(int, 0, 0, sem_semop, struct kern_ipc_perm *perm, struct sembuf *sops,
unsigned nsops, int alter)
-LSM_HOOK(int, 0, netlink_send, struct sock *sk, struct sk_buff *skb)
-LSM_HOOK(void, LSM_RET_VOID, d_instantiate, struct dentry *dentry,
+LSM_HOOK(int, 0, 0, netlink_send, struct sock *sk, struct sk_buff *skb)
+LSM_HOOK(void, LSM_RET_VOID, 0, d_instantiate, struct dentry *dentry,
struct inode *inode)
-LSM_HOOK(int, -EOPNOTSUPP, getselfattr, unsigned int attr,
+LSM_HOOK(int, -EOPNOTSUPP, 0, getselfattr, unsigned int attr,
struct lsm_ctx __user *ctx, u32 *size, u32 flags)
-LSM_HOOK(int, -EOPNOTSUPP, setselfattr, unsigned int attr,
+LSM_HOOK(int, -EOPNOTSUPP, 0, setselfattr, unsigned int attr,
struct lsm_ctx *ctx, u32 size, u32 flags)
-LSM_HOOK(int, -EINVAL, getprocattr, struct task_struct *p, const char *name,
+LSM_HOOK(int, -EINVAL, 0, getprocattr, struct task_struct *p, const char *name,
char **value)
-LSM_HOOK(int, -EINVAL, setprocattr, const char *name, void *value, size_t size)
-LSM_HOOK(int, 0, ismaclabel, const char *name)
-LSM_HOOK(int, -EOPNOTSUPP, secid_to_secctx, u32 secid, struct lsm_context *cp)
-LSM_HOOK(int, -EOPNOTSUPP, lsmprop_to_secctx, struct lsm_prop *prop,
+LSM_HOOK(int, -EINVAL, 0, setprocattr, const char *name, void *value,
+ size_t size)
+LSM_HOOK(int, 0, 0, ismaclabel, const char *name)
+LSM_HOOK(int, -EOPNOTSUPP, 0, secid_to_secctx, u32 secid,
+ struct lsm_context *cp)
+LSM_HOOK(int, -EOPNOTSUPP, 0, lsmprop_to_secctx, struct lsm_prop *prop,
struct lsm_context *cp)
-LSM_HOOK(int, 0, secctx_to_secid, const char *secdata, u32 seclen, u32 *secid)
-LSM_HOOK(void, LSM_RET_VOID, release_secctx, struct lsm_context *cp)
-LSM_HOOK(void, LSM_RET_VOID, inode_invalidate_secctx, struct inode *inode)
-LSM_HOOK(int, 0, inode_notifysecctx, struct inode *inode, void *ctx, u32 ctxlen)
-LSM_HOOK(int, 0, inode_setsecctx, struct dentry *dentry, void *ctx, u32 ctxlen)
-LSM_HOOK(int, -EOPNOTSUPP, inode_getsecctx, struct inode *inode,
+LSM_HOOK(int, 0, 0, secctx_to_secid, const char *secdata, u32 seclen,
+ u32 *secid)
+LSM_HOOK(void, LSM_RET_VOID, 0, release_secctx, struct lsm_context *cp)
+LSM_HOOK(void, LSM_RET_VOID, 0, inode_invalidate_secctx, struct inode *inode)
+LSM_HOOK(int, 0, 0, inode_notifysecctx, struct inode *inode, void *ctx,
+ u32 ctxlen)
+LSM_HOOK(int, 0, 0, inode_setsecctx, struct dentry *dentry, void *ctx,
+ u32 ctxlen)
+LSM_HOOK(int, -EOPNOTSUPP, 0, inode_getsecctx, struct inode *inode,
struct lsm_context *cp)
#if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
-LSM_HOOK(int, 0, post_notification, const struct cred *w_cred,
+LSM_HOOK(int, 0, 0, post_notification, const struct cred *w_cred,
const struct cred *cred, struct watch_notification *n)
#endif /* CONFIG_SECURITY && CONFIG_WATCH_QUEUE */
#if defined(CONFIG_SECURITY) && defined(CONFIG_KEY_NOTIFICATIONS)
-LSM_HOOK(int, 0, watch_key, struct key *key)
+LSM_HOOK(int, 0, 0, watch_key, struct key *key)
#endif /* CONFIG_SECURITY && CONFIG_KEY_NOTIFICATIONS */
#ifdef CONFIG_SECURITY_NETWORK
-LSM_HOOK(int, 0, unix_stream_connect, struct sock *sock, struct sock *other,
+LSM_HOOK(int, 0, 0, unix_stream_connect, struct sock *sock, struct sock *other,
struct sock *newsk)
-LSM_HOOK(int, 0, unix_may_send, struct socket *sock, struct socket *other)
-LSM_HOOK(int, 0, socket_create, int family, int type, int protocol, int kern)
-LSM_HOOK(int, 0, socket_post_create, struct socket *sock, int family, int type,
- int protocol, int kern)
-LSM_HOOK(int, 0, socket_socketpair, struct socket *socka, struct socket *sockb)
-LSM_HOOK(int, 0, socket_bind, struct socket *sock, struct sockaddr *address,
- int addrlen)
-LSM_HOOK(int, 0, socket_connect, struct socket *sock, struct sockaddr *address,
+LSM_HOOK(int, 0, 0, unix_may_send, struct socket *sock, struct socket *other)
+LSM_HOOK(int, 0, 0, socket_create, int family, int type, int protocol,
+ int kern)
+LSM_HOOK(int, 0, 0, socket_post_create, struct socket *sock, int family,
+ int type, int protocol, int kern)
+LSM_HOOK(int, 0, 0, socket_socketpair, struct socket *socka,
+ struct socket *sockb)
+LSM_HOOK(int, 0, 0, socket_bind, struct socket *sock, struct sockaddr *address,
int addrlen)
-LSM_HOOK(int, 0, socket_listen, struct socket *sock, int backlog)
-LSM_HOOK(int, 0, socket_accept, struct socket *sock, struct socket *newsock)
-LSM_HOOK(int, 0, socket_sendmsg, struct socket *sock, struct msghdr *msg,
+LSM_HOOK(int, 0, 0, socket_connect, struct socket *sock,
+ struct sockaddr *address, int addrlen)
+LSM_HOOK(int, 0, 0, socket_listen, struct socket *sock, int backlog)
+LSM_HOOK(int, 0, 0, socket_accept, struct socket *sock, struct socket *newsock)
+LSM_HOOK(int, 0, 0, socket_sendmsg, struct socket *sock, struct msghdr *msg,
int size)
-LSM_HOOK(int, 0, socket_recvmsg, struct socket *sock, struct msghdr *msg,
+LSM_HOOK(int, 0, 0, socket_recvmsg, struct socket *sock, struct msghdr *msg,
int size, int flags)
-LSM_HOOK(int, 0, socket_getsockname, struct socket *sock)
-LSM_HOOK(int, 0, socket_getpeername, struct socket *sock)
-LSM_HOOK(int, 0, socket_getsockopt, struct socket *sock, int level, int optname)
-LSM_HOOK(int, 0, socket_setsockopt, struct socket *sock, int level, int optname)
-LSM_HOOK(int, 0, socket_shutdown, struct socket *sock, int how)
-LSM_HOOK(int, 0, socket_sock_rcv_skb, struct sock *sk, struct sk_buff *skb)
-LSM_HOOK(int, -ENOPROTOOPT, socket_getpeersec_stream, struct socket *sock,
+LSM_HOOK(int, 0, 0, socket_getsockname, struct socket *sock)
+LSM_HOOK(int, 0, 0, socket_getpeername, struct socket *sock)
+LSM_HOOK(int, 0, 0, socket_getsockopt, struct socket *sock, int level,
+ int optname)
+LSM_HOOK(int, 0, 0, socket_setsockopt, struct socket *sock, int level,
+ int optname)
+LSM_HOOK(int, 0, 0, socket_shutdown, struct socket *sock, int how)
+LSM_HOOK(int, 0, 0, socket_sock_rcv_skb, struct sock *sk, struct sk_buff *skb)
+LSM_HOOK(int, -ENOPROTOOPT, 0, socket_getpeersec_stream, struct socket *sock,
sockptr_t optval, sockptr_t optlen, unsigned int len)
-LSM_HOOK(int, -ENOPROTOOPT, socket_getpeersec_dgram, struct socket *sock,
+LSM_HOOK(int, -ENOPROTOOPT, 0, socket_getpeersec_dgram, struct socket *sock,
struct sk_buff *skb, u32 *secid)
-LSM_HOOK(int, 0, sk_alloc_security, struct sock *sk, int family, gfp_t priority)
-LSM_HOOK(void, LSM_RET_VOID, sk_free_security, struct sock *sk)
-LSM_HOOK(void, LSM_RET_VOID, sk_clone_security, const struct sock *sk,
+LSM_HOOK(int, 0, 0, sk_alloc_security, struct sock *sk, int family,
+ gfp_t priority)
+LSM_HOOK(void, LSM_RET_VOID, 0, sk_free_security, struct sock *sk)
+LSM_HOOK(void, LSM_RET_VOID, 0, sk_clone_security, const struct sock *sk,
struct sock *newsk)
-LSM_HOOK(void, LSM_RET_VOID, sk_getsecid, const struct sock *sk, u32 *secid)
-LSM_HOOK(void, LSM_RET_VOID, sock_graft, struct sock *sk, struct socket *parent)
-LSM_HOOK(int, 0, inet_conn_request, const struct sock *sk, struct sk_buff *skb,
- struct request_sock *req)
-LSM_HOOK(void, LSM_RET_VOID, inet_csk_clone, struct sock *newsk,
+LSM_HOOK(void, LSM_RET_VOID, 0, sk_getsecid, const struct sock *sk, u32 *secid)
+LSM_HOOK(void, LSM_RET_VOID, 0, sock_graft, struct sock *sk,
+ struct socket *parent)
+LSM_HOOK(int, 0, 0, inet_conn_request, const struct sock *sk,
+ struct sk_buff *skb, struct request_sock *req)
+LSM_HOOK(void, LSM_RET_VOID, 0, inet_csk_clone, struct sock *newsk,
const struct request_sock *req)
-LSM_HOOK(void, LSM_RET_VOID, inet_conn_established, struct sock *sk,
+LSM_HOOK(void, LSM_RET_VOID, 0, inet_conn_established, struct sock *sk,
struct sk_buff *skb)
-LSM_HOOK(int, 0, secmark_relabel_packet, u32 secid)
-LSM_HOOK(void, LSM_RET_VOID, secmark_refcount_inc, void)
-LSM_HOOK(void, LSM_RET_VOID, secmark_refcount_dec, void)
-LSM_HOOK(void, LSM_RET_VOID, req_classify_flow, const struct request_sock *req,
- struct flowi_common *flic)
-LSM_HOOK(int, 0, tun_dev_alloc_security, void *security)
-LSM_HOOK(int, 0, tun_dev_create, void)
-LSM_HOOK(int, 0, tun_dev_attach_queue, void *security)
-LSM_HOOK(int, 0, tun_dev_attach, struct sock *sk, void *security)
-LSM_HOOK(int, 0, tun_dev_open, void *security)
-LSM_HOOK(int, 0, sctp_assoc_request, struct sctp_association *asoc,
+LSM_HOOK(int, 0, 0, secmark_relabel_packet, u32 secid)
+LSM_HOOK(void, LSM_RET_VOID, 0, secmark_refcount_inc, void)
+LSM_HOOK(void, LSM_RET_VOID, 0, secmark_refcount_dec, void)
+LSM_HOOK(void, LSM_RET_VOID, 0, req_classify_flow,
+ const struct request_sock *req, struct flowi_common *flic)
+LSM_HOOK(int, 0, 0, tun_dev_alloc_security, void *security)
+LSM_HOOK(int, 0, 0, tun_dev_create, void)
+LSM_HOOK(int, 0, 0, tun_dev_attach_queue, void *security)
+LSM_HOOK(int, 0, 0, tun_dev_attach, struct sock *sk, void *security)
+LSM_HOOK(int, 0, 0, tun_dev_open, void *security)
+LSM_HOOK(int, 0, 0, sctp_assoc_request, struct sctp_association *asoc,
struct sk_buff *skb)
-LSM_HOOK(int, 0, sctp_bind_connect, struct sock *sk, int optname,
+LSM_HOOK(int, 0, 0, sctp_bind_connect, struct sock *sk, int optname,
struct sockaddr *address, int addrlen)
-LSM_HOOK(void, LSM_RET_VOID, sctp_sk_clone, struct sctp_association *asoc,
+LSM_HOOK(void, LSM_RET_VOID, 0, sctp_sk_clone, struct sctp_association *asoc,
struct sock *sk, struct sock *newsk)
-LSM_HOOK(int, 0, sctp_assoc_established, struct sctp_association *asoc,
+LSM_HOOK(int, 0, 0, sctp_assoc_established, struct sctp_association *asoc,
struct sk_buff *skb)
-LSM_HOOK(int, 0, mptcp_add_subflow, struct sock *sk, struct sock *ssk)
+LSM_HOOK(int, 0, 0, mptcp_add_subflow, struct sock *sk, struct sock *ssk)
#endif /* CONFIG_SECURITY_NETWORK */
#ifdef CONFIG_SECURITY_INFINIBAND
-LSM_HOOK(int, 0, ib_pkey_access, void *sec, u64 subnet_prefix, u16 pkey)
-LSM_HOOK(int, 0, ib_endport_manage_subnet, void *sec, const char *dev_name,
+LSM_HOOK(int, 0, 0, ib_pkey_access, void *sec, u64 subnet_prefix, u16 pkey)
+LSM_HOOK(int, 0, 0, ib_endport_manage_subnet, void *sec, const char *dev_name,
u8 port_num)
-LSM_HOOK(int, 0, ib_alloc_security, void *sec)
+LSM_HOOK(int, 0, 0, ib_alloc_security, void *sec)
#endif /* CONFIG_SECURITY_INFINIBAND */
#ifdef CONFIG_SECURITY_NETWORK_XFRM
-LSM_HOOK(int, 0, xfrm_policy_alloc_security, struct xfrm_sec_ctx **ctxp,
+LSM_HOOK(int, 0, 0, xfrm_policy_alloc_security, struct xfrm_sec_ctx **ctxp,
struct xfrm_user_sec_ctx *sec_ctx, gfp_t gfp)
-LSM_HOOK(int, 0, xfrm_policy_clone_security, struct xfrm_sec_ctx *old_ctx,
+LSM_HOOK(int, 0, 0, xfrm_policy_clone_security, struct xfrm_sec_ctx *old_ctx,
struct xfrm_sec_ctx **new_ctx)
-LSM_HOOK(void, LSM_RET_VOID, xfrm_policy_free_security,
+LSM_HOOK(void, LSM_RET_VOID, 0, xfrm_policy_free_security,
struct xfrm_sec_ctx *ctx)
-LSM_HOOK(int, 0, xfrm_policy_delete_security, struct xfrm_sec_ctx *ctx)
-LSM_HOOK(int, 0, xfrm_state_alloc, struct xfrm_state *x,
+LSM_HOOK(int, 0, 0, xfrm_policy_delete_security, struct xfrm_sec_ctx *ctx)
+LSM_HOOK(int, 0, 0, xfrm_state_alloc, struct xfrm_state *x,
struct xfrm_user_sec_ctx *sec_ctx)
-LSM_HOOK(int, 0, xfrm_state_alloc_acquire, struct xfrm_state *x,
- struct xfrm_sec_ctx *polsec, u32 secid)
-LSM_HOOK(void, LSM_RET_VOID, xfrm_state_free_security, struct xfrm_state *x)
-LSM_HOOK(int, 0, xfrm_state_delete_security, struct xfrm_state *x)
-LSM_HOOK(int, 0, xfrm_policy_lookup, struct xfrm_sec_ctx *ctx, u32 fl_secid)
-LSM_HOOK(int, 1, xfrm_state_pol_flow_match, struct xfrm_state *x,
+LSM_HOOK(int, 0, 0, xfrm_state_alloc_acquire,
+ struct xfrm_state *x, struct xfrm_sec_ctx *polsec, u32 secid)
+LSM_HOOK(void, LSM_RET_VOID, 0, xfrm_state_free_security, struct xfrm_state *x)
+LSM_HOOK(int, 0, 0, xfrm_state_delete_security, struct xfrm_state *x)
+LSM_HOOK(int, 0, 0, xfrm_policy_lookup, struct xfrm_sec_ctx *ctx, u32 fl_secid)
+LSM_HOOK(int, 1, 0, xfrm_state_pol_flow_match, struct xfrm_state *x,
struct xfrm_policy *xp, const struct flowi_common *flic)
-LSM_HOOK(int, 0, xfrm_decode_session, struct sk_buff *skb, u32 *secid,
+LSM_HOOK(int, 0, 0, xfrm_decode_session, struct sk_buff *skb, u32 *secid,
int ckall)
#endif /* CONFIG_SECURITY_NETWORK_XFRM */
/* key management security hooks */
#ifdef CONFIG_KEYS
-LSM_HOOK(int, 0, key_alloc, struct key *key, const struct cred *cred,
+LSM_HOOK(int, 0, 0, key_alloc, struct key *key, const struct cred *cred,
unsigned long flags)
-LSM_HOOK(int, 0, key_permission, key_ref_t key_ref, const struct cred *cred,
- enum key_need_perm need_perm)
-LSM_HOOK(int, 0, key_getsecurity, struct key *key, char **buffer)
-LSM_HOOK(void, LSM_RET_VOID, key_post_create_or_update, struct key *keyring,
+LSM_HOOK(int, 0, 0, key_permission, key_ref_t key_ref,
+ const struct cred *cred, enum key_need_perm need_perm)
+LSM_HOOK(int, 0, 0, key_getsecurity, struct key *key, char **buffer)
+LSM_HOOK(void, LSM_RET_VOID, 0, key_post_create_or_update, struct key *keyring,
struct key *key, const void *payload, size_t payload_len,
unsigned long flags, bool create)
#endif /* CONFIG_KEYS */
#ifdef CONFIG_AUDIT
-LSM_HOOK(int, 0, audit_rule_init, u32 field, u32 op, char *rulestr,
+LSM_HOOK(int, 0, 0, audit_rule_init, u32 field, u32 op, char *rulestr,
void **lsmrule, gfp_t gfp)
-LSM_HOOK(int, 0, audit_rule_known, struct audit_krule *krule)
-LSM_HOOK(int, 0, audit_rule_match, struct lsm_prop *prop, u32 field, u32 op,
+LSM_HOOK(int, 0, 0, audit_rule_known, struct audit_krule *krule)
+LSM_HOOK(int, 0, 0, audit_rule_match, struct lsm_prop *prop, u32 field, u32 op,
void *lsmrule)
-LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule)
+LSM_HOOK(void, LSM_RET_VOID, 0, audit_rule_free, void *lsmrule)
#endif /* CONFIG_AUDIT */
#ifdef CONFIG_BPF_SYSCALL
-LSM_HOOK(int, 0, bpf, int cmd, union bpf_attr *attr, unsigned int size, bool kernel)
-LSM_HOOK(int, 0, bpf_map, struct bpf_map *map, fmode_t fmode)
-LSM_HOOK(int, 0, bpf_prog, struct bpf_prog *prog)
-LSM_HOOK(int, 0, bpf_map_create, struct bpf_map *map, union bpf_attr *attr,
- struct bpf_token *token, bool kernel)
-LSM_HOOK(void, LSM_RET_VOID, bpf_map_free, struct bpf_map *map)
-LSM_HOOK(int, 0, bpf_prog_load, struct bpf_prog *prog, union bpf_attr *attr,
+LSM_HOOK(int, 0, 0, bpf, int cmd, union bpf_attr *attr, unsigned int size,
+ bool kernel)
+LSM_HOOK(int, 0, 0, bpf_map, struct bpf_map *map, fmode_t fmode)
+LSM_HOOK(int, 0, 0, bpf_prog, struct bpf_prog *prog)
+LSM_HOOK(int, 0, 0, bpf_map_create, struct bpf_map *map, union bpf_attr *attr,
struct bpf_token *token, bool kernel)
-LSM_HOOK(void, LSM_RET_VOID, bpf_prog_free, struct bpf_prog *prog)
-LSM_HOOK(int, 0, bpf_token_create, struct bpf_token *token, union bpf_attr *attr,
- const struct path *path)
-LSM_HOOK(void, LSM_RET_VOID, bpf_token_free, struct bpf_token *token)
-LSM_HOOK(int, 0, bpf_token_cmd, const struct bpf_token *token, enum bpf_cmd cmd)
-LSM_HOOK(int, 0, bpf_token_capable, const struct bpf_token *token, int cap)
+LSM_HOOK(void, LSM_RET_VOID, 0, bpf_map_free, struct bpf_map *map)
+LSM_HOOK(int, 0, 0, bpf_prog_load, struct bpf_prog *prog,
+ union bpf_attr *attr, struct bpf_token *token, bool kernel)
+LSM_HOOK(void, LSM_RET_VOID, 0, bpf_prog_free, struct bpf_prog *prog)
+LSM_HOOK(int, 0, 0, bpf_token_create, struct bpf_token *token,
+ union bpf_attr *attr, const struct path *path)
+LSM_HOOK(void, LSM_RET_VOID, 0, bpf_token_free, struct bpf_token *token)
+LSM_HOOK(int, 0, 0, bpf_token_cmd, const struct bpf_token *token,
+ enum bpf_cmd cmd)
+LSM_HOOK(int, 0, 0, bpf_token_capable, const struct bpf_token *token, int cap)
#endif /* CONFIG_BPF_SYSCALL */
-LSM_HOOK(int, 0, locked_down, enum lockdown_reason what)
+LSM_HOOK(int, 0, 0, locked_down, enum lockdown_reason what)
#ifdef CONFIG_PERF_EVENTS
-LSM_HOOK(int, 0, perf_event_open, int type)
-LSM_HOOK(int, 0, perf_event_alloc, struct perf_event *event)
-LSM_HOOK(int, 0, perf_event_read, struct perf_event *event)
-LSM_HOOK(int, 0, perf_event_write, struct perf_event *event)
+LSM_HOOK(int, 0, 0, perf_event_open, int type)
+LSM_HOOK(int, 0, 0, perf_event_alloc, struct perf_event *event)
+LSM_HOOK(int, 0, 0, perf_event_read, struct perf_event *event)
+LSM_HOOK(int, 0, 0, perf_event_write, struct perf_event *event)
#endif /* CONFIG_PERF_EVENTS */
#ifdef CONFIG_IO_URING
-LSM_HOOK(int, 0, uring_override_creds, const struct cred *new)
-LSM_HOOK(int, 0, uring_sqpoll, void)
-LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd)
-LSM_HOOK(int, 0, uring_allowed, void)
+LSM_HOOK(int, 0, 0, uring_override_creds, const struct cred *new)
+LSM_HOOK(int, 0, 0, uring_sqpoll, void)
+LSM_HOOK(int, 0, 0, uring_cmd, struct io_uring_cmd *ioucmd)
+LSM_HOOK(int, 0, 0, uring_allowed, void)
#endif /* CONFIG_IO_URING */
-LSM_HOOK(void, LSM_RET_VOID, initramfs_populated, void)
+LSM_HOOK(void, LSM_RET_VOID, 0, initramfs_populated, void)
-LSM_HOOK(int, 0, bdev_alloc_security, struct block_device *bdev)
-LSM_HOOK(void, LSM_RET_VOID, bdev_free_security, struct block_device *bdev)
-LSM_HOOK(int, 0, bdev_setintegrity, struct block_device *bdev,
+LSM_HOOK(int, 0, 0, bdev_alloc_security, struct block_device *bdev)
+LSM_HOOK(void, LSM_RET_VOID, 0, bdev_free_security, struct block_device *bdev)
+LSM_HOOK(int, 0, 0, bdev_setintegrity, struct block_device *bdev,
enum lsm_integrity_type type, const void *value, size_t size)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index b92008641242..4411b47f9a8d 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -36,7 +36,7 @@
#include <linux/lsm_count.h>
union security_list_options {
- #define LSM_HOOK(RET, DEFAULT, NAME, ...) RET (*NAME)(__VA_ARGS__);
+ #define LSM_HOOK(RET, DEFAULT, FLAGS, NAME, ...) RET (*NAME)(__VA_ARGS__);
#include "lsm_hook_defs.h"
#undef LSM_HOOK
void *lsm_func_addr;
@@ -65,7 +65,7 @@ struct lsm_static_call {
* dynamic to adapt the number of static calls to the number of callbacks.
*/
struct lsm_static_calls_table {
- #define LSM_HOOK(RET, DEFAULT, NAME, ...) \
+ #define LSM_HOOK(RET, DEFAULT, FLAGS, NAME, ...) \
struct lsm_static_call NAME[MAX_LSM_COUNT];
#include <linux/lsm_hook_defs.h>
#undef LSM_HOOK
diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
index 7cb6e8d4282c..53d5c0b69b2c 100644
--- a/kernel/bpf/bpf_lsm.c
+++ b/kernel/bpf/bpf_lsm.c
@@ -20,16 +20,16 @@
/* For every LSM hook that allows attachment of BPF programs, declare a nop
* function where a BPF program can be attached.
*/
-#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
-noinline RET bpf_lsm_##NAME(__VA_ARGS__) \
-{ \
- return DEFAULT; \
+#define LSM_HOOK(RET, DEFAULT, FLAGS, NAME, ...) \
+noinline RET bpf_lsm_##NAME(__VA_ARGS__) \
+{ \
+ return DEFAULT; \
}
#include <linux/lsm_hook_defs.h>
#undef LSM_HOOK
-#define LSM_HOOK(RET, DEFAULT, NAME, ...) BTF_ID(func, bpf_lsm_##NAME)
+#define LSM_HOOK(RET, DEFAULT, FLAGS, NAME, ...) BTF_ID(func, bpf_lsm_##NAME)
BTF_SET_START(bpf_lsm_hooks)
#include <linux/lsm_hook_defs.h>
#undef LSM_HOOK
diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c
index 40efde233f3a..8c4b0ed2b22e 100644
--- a/security/bpf/hooks.c
+++ b/security/bpf/hooks.c
@@ -8,7 +8,7 @@
#include <uapi/linux/lsm.h>
static struct security_hook_list bpf_lsm_hooks[] __ro_after_init = {
- #define LSM_HOOK(RET, DEFAULT, NAME, ...) \
+ #define LSM_HOOK(RET, DEFAULT, FLAGS, NAME, ...) \
LSM_HOOK_INIT(NAME, bpf_lsm_##NAME),
#include <linux/lsm_hook_defs.h>
#undef LSM_HOOK
diff --git a/security/security.c b/security/security.c
index 31a688650601..25e7cfc96f20 100644
--- a/security/security.c
+++ b/security/security.c
@@ -117,7 +117,7 @@ do { \
*((RET(*)(__VA_ARGS__))NULL)); \
DEFINE_STATIC_KEY_FALSE(SECURITY_HOOK_ACTIVE_KEY(NAME, NUM));
-#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
+#define LSM_HOOK(RET, DEFAULT, FLAGS, NAME, ...) \
LSM_DEFINE_UNROLL(DEFINE_LSM_STATIC_CALL, NAME, RET, __VA_ARGS__)
#include <linux/lsm_hook_defs.h>
#undef LSM_HOOK
@@ -142,7 +142,7 @@ struct lsm_static_calls_table
.trampoline = LSM_HOOK_TRAMP(NAME, NUM), \
.active = &SECURITY_HOOK_ACTIVE_KEY(NAME, NUM), \
},
-#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
+#define LSM_HOOK(RET, DEFAULT, FLAGS, NAME, ...) \
.NAME = { \
LSM_DEFINE_UNROLL(INIT_LSM_STATIC_CALL, NAME) \
},
@@ -422,7 +422,7 @@ int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len,
#define DECLARE_LSM_RET_DEFAULT_void(DEFAULT, NAME)
#define DECLARE_LSM_RET_DEFAULT_int(DEFAULT, NAME) \
static const int __maybe_unused LSM_RET_DEFAULT(NAME) = (DEFAULT);
-#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
+#define LSM_HOOK(RET, DEFAULT, FLAGS, NAME, ...) \
DECLARE_LSM_RET_DEFAULT_##RET(DEFAULT, NAME)
#include <linux/lsm_hook_defs.h>
--
2.52.0
^ permalink raw reply related
* [RFC PATCH 2/3] LSM: Enforce exclusive hooks
From: Casey Schaufler @ 2026-02-25 19:21 UTC (permalink / raw)
To: casey, paul, linux-security-module
Cc: jmorris, serge, keescook, john.johansen, penguin-kernel,
stephen.smalley.work, selinux
In-Reply-To: <20260225192143.14448-1-casey@schaufler-ca.com>
If an LSM hook is marked as exclusive via LSM_FLAG_EXCLUSIVE
in lsm_hook_defs.h it will not be added to the set of hooks to
be executed if an different LSM has already registered an
exclusive hook.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/security.h | 2 ++
security/lsm_init.c | 66 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 68 insertions(+)
diff --git a/include/linux/security.h b/include/linux/security.h
index 83a646d72f6f..e3c137a1b30a 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -2404,4 +2404,6 @@ static inline void security_initramfs_populated(void)
}
#endif /* CONFIG_SECURITY */
+extern u64 lsm_exclusive_hooks;
+
#endif /* ! __LINUX_SECURITY_H */
diff --git a/security/lsm_init.c b/security/lsm_init.c
index 05bd52e6b1f2..dc3c84387a7e 100644
--- a/security/lsm_init.c
+++ b/security/lsm_init.c
@@ -356,6 +356,70 @@ static int __init lsm_static_call_init(struct security_hook_list *hl)
return -ENOSPC;
}
+/*
+ * Hooks that are restricted to use by a single security module.
+ *
+ * Secmark hooks have not been converted from secids to lsm_props
+ * due to space limitations in packet headers.
+ *
+ * Conversions from a secid to a secctx are restricted to the
+ * single security module. All cases where there may be multiple
+ * modules providing the input data have been converted to use
+ * a lsm_prop instead of a secid.
+ */
+struct lsm_exclusive {
+ struct lsm_static_call *name;
+ char *namestr;
+ u32 flags;
+};
+
+static __initdata struct lsm_exclusive lsm_exclusive_set[] = {
+#define LSM_HOOK(RET, DEFAULT, FLAGS, NAME, ...) \
+ { .name = static_calls_table.NAME, .flags = FLAGS, .namestr = "" #NAME "" , },
+#include <linux/lsm_hook_defs.h>
+#undef LSM_HOOK
+};
+u64 lsm_exclusive_hooks;
+EXPORT_SYMBOL(lsm_exclusive_hooks);
+
+/**
+ * lsm_exclusive_hook_denial - Check if exclusive hook is in use
+ * @hook: the hook to check
+ *
+ * Check if the hook in question is restricted to a single using LSM,
+ * and if the LSM providing single LSM hooks is defined.
+ *
+ * Returns true if the hook is exclusive and they are already provided,
+ * false otherwise.
+ */
+static bool __init lsm_exclusive_hook_denial(struct security_hook_list *hook)
+{
+ int i;
+
+ if (lsm_exclusive_hooks == hook->lsmid->id)
+ return false;
+
+ for (i = 0; i < ARRAY_SIZE(lsm_exclusive_set); i++) {
+ if (!(lsm_exclusive_set[i].flags & LSM_FLAG_EXCLUSIVE))
+ continue;
+ if (hook->scalls == lsm_exclusive_set[i].name) {
+ if (lsm_exclusive_hooks) {
+ if (lsm_debug)
+ lsm_pr("%s denied for %s.\n",
+ lsm_exclusive_set[i].namestr,
+ hook->lsmid->name);
+ return true;
+ }
+ if (lsm_debug)
+ lsm_pr("Exclusive hooks limited to %s.\n",
+ hook->lsmid->name);
+ lsm_exclusive_hooks = hook->lsmid->id;
+ break;
+ }
+ }
+ return false;
+}
+
/**
* security_add_hooks - Add a LSM's hooks to the LSM framework's hook lists
* @hooks: LSM hooks to add
@@ -371,6 +435,8 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
for (i = 0; i < count; i++) {
hooks[i].lsmid = lsmid;
+ if (lsm_exclusive_hook_denial(&hooks[i]))
+ continue;
if (lsm_static_call_init(&hooks[i]))
panic("exhausted LSM callback slots with LSM %s\n",
lsmid->name);
--
2.52.0
^ permalink raw reply related
* [RFC PATCH 3/3] LSM: Reserve use of secmarks
From: Casey Schaufler @ 2026-02-25 19:21 UTC (permalink / raw)
To: casey, paul, linux-security-module
Cc: jmorris, serge, keescook, john.johansen, penguin-kernel,
stephen.smalley.work, selinux
In-Reply-To: <20260225192143.14448-1-casey@schaufler-ca.com>
Use of "exclusive" LSM hooks are limited to the first LSM registering
them. These hooks include those use to process network secmarks.
The hooks required to process secmarks are flagged with LSM_FLAG_EXCLUSIVE
in their definitions. This includes secid_to_secctx and secctx_to_secid,
which are used by netfilter.
The various LSMs that use secmarks are updated to detect whether
they are providing exclusive hooks, and to eschew the use of secmarks
if they are not.
SELinux has a peculiar behavior in that it may decide that it
must have network controls, but only after policy is loaded.
This patch includes a warning should policy capability alwaysnetwork
be set when another LSM holds the exclusive hooks. It has been
suggested that SELinux would consider this a fatal condition, in
which case a panic might be a favored, if draconian, option.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/lsm_hook_defs.h | 12 +++++------
include/linux/security.h | 1 +
security/apparmor/lsm.c | 24 ++++++++++++++++------
security/security.c | 15 ++++++++++++++
security/selinux/hooks.c | 35 ++++++++++++++++++++++++--------
security/selinux/ss/services.c | 3 +++
security/smack/smack_lsm.c | 6 ++++--
security/smack/smack_netfilter.c | 6 ++++++
8 files changed, 80 insertions(+), 22 deletions(-)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index acda3a02da97..e6d4d9c80ac6 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -309,12 +309,12 @@ LSM_HOOK(int, -EINVAL, 0, getprocattr, struct task_struct *p, const char *name,
LSM_HOOK(int, -EINVAL, 0, setprocattr, const char *name, void *value,
size_t size)
LSM_HOOK(int, 0, 0, ismaclabel, const char *name)
-LSM_HOOK(int, -EOPNOTSUPP, 0, secid_to_secctx, u32 secid,
+LSM_HOOK(int, -EOPNOTSUPP, LSM_FLAG_EXCLUSIVE, secid_to_secctx, u32 secid,
struct lsm_context *cp)
LSM_HOOK(int, -EOPNOTSUPP, 0, lsmprop_to_secctx, struct lsm_prop *prop,
struct lsm_context *cp)
-LSM_HOOK(int, 0, 0, secctx_to_secid, const char *secdata, u32 seclen,
- u32 *secid)
+LSM_HOOK(int, 0, LSM_FLAG_EXCLUSIVE, secctx_to_secid, const char *secdata,
+ u32 seclen, u32 *secid)
LSM_HOOK(void, LSM_RET_VOID, 0, release_secctx, struct lsm_context *cp)
LSM_HOOK(void, LSM_RET_VOID, 0, inode_invalidate_secctx, struct inode *inode)
LSM_HOOK(int, 0, 0, inode_notifysecctx, struct inode *inode, void *ctx,
@@ -379,9 +379,9 @@ LSM_HOOK(void, LSM_RET_VOID, 0, inet_csk_clone, struct sock *newsk,
const struct request_sock *req)
LSM_HOOK(void, LSM_RET_VOID, 0, inet_conn_established, struct sock *sk,
struct sk_buff *skb)
-LSM_HOOK(int, 0, 0, secmark_relabel_packet, u32 secid)
-LSM_HOOK(void, LSM_RET_VOID, 0, secmark_refcount_inc, void)
-LSM_HOOK(void, LSM_RET_VOID, 0, secmark_refcount_dec, void)
+LSM_HOOK(int, 0, LSM_FLAG_EXCLUSIVE, secmark_relabel_packet, u32 secid)
+LSM_HOOK(void, LSM_RET_VOID, LSM_FLAG_EXCLUSIVE, secmark_refcount_inc, void)
+LSM_HOOK(void, LSM_RET_VOID, LSM_FLAG_EXCLUSIVE, secmark_refcount_dec, void)
LSM_HOOK(void, LSM_RET_VOID, 0, req_classify_flow,
const struct request_sock *req, struct flowi_common *flic)
LSM_HOOK(int, 0, 0, tun_dev_alloc_security, void *security)
diff --git a/include/linux/security.h b/include/linux/security.h
index e3c137a1b30a..638436b9b748 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -326,6 +326,7 @@ int unregister_blocking_lsm_notifier(struct notifier_block *nb);
extern int security_init(void);
extern int early_security_init(void);
extern u64 lsm_name_to_attr(const char *name);
+extern u32 lsm_secmark_from_skb(struct sk_buff *skb, const u64 lsmid);
/* Security operations */
int security_binder_set_context_mgr(const struct cred *mgr);
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index a87cd60ed206..2ce0d9a73973 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1511,9 +1511,11 @@ static int apparmor_socket_shutdown(struct socket *sock, int how)
static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
struct aa_sk_ctx *ctx = aa_sock(sk);
+ u32 secmark;
int error;
- if (!skb->secmark)
+ secmark = lsm_secmark_from_skb(skb, LSM_ID_APPARMOR);
+ if (!secmark)
return 0;
/*
@@ -1525,7 +1527,7 @@ static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
rcu_read_lock();
error = apparmor_secmark_check(rcu_dereference(ctx->label), OP_RECVMSG,
- AA_MAY_RECEIVE, skb->secmark, sk);
+ AA_MAY_RECEIVE, secmark, sk);
rcu_read_unlock();
return error;
@@ -1640,14 +1642,16 @@ static int apparmor_inet_conn_request(const struct sock *sk, struct sk_buff *skb
struct request_sock *req)
{
struct aa_sk_ctx *ctx = aa_sock(sk);
+ u32 secmark;
int error;
- if (!skb->secmark)
+ secmark = lsm_secmark_from_skb(skb, LSM_ID_APPARMOR);
+ if (!secmark)
return 0;
rcu_read_lock();
error = apparmor_secmark_check(rcu_dereference(ctx->label), OP_CONNECT,
- AA_MAY_CONNECT, skb->secmark, sk);
+ AA_MAY_CONNECT, secmark, sk);
rcu_read_unlock();
return error;
@@ -2359,9 +2363,11 @@ static unsigned int apparmor_ip_postroute(void *priv,
{
struct aa_sk_ctx *ctx;
struct sock *sk;
+ u32 secmark;
int error;
- if (!skb->secmark)
+ secmark = lsm_secmark_from_skb(skb, LSM_ID_APPARMOR);
+ if (!secmark)
return NF_ACCEPT;
sk = skb_to_full_sk(skb);
@@ -2371,7 +2377,7 @@ static unsigned int apparmor_ip_postroute(void *priv,
ctx = aa_sock(sk);
rcu_read_lock();
error = apparmor_secmark_check(rcu_dereference(ctx->label), OP_SENDMSG,
- AA_MAY_SEND, skb->secmark, sk);
+ AA_MAY_SEND, secmark, sk);
rcu_read_unlock();
if (!error)
return NF_ACCEPT;
@@ -2399,12 +2405,18 @@ static const struct nf_hook_ops apparmor_nf_ops[] = {
static int __net_init apparmor_nf_register(struct net *net)
{
+ if (lsm_exclusive_hooks != LSM_ID_APPARMOR)
+ return 0;
+
return nf_register_net_hooks(net, apparmor_nf_ops,
ARRAY_SIZE(apparmor_nf_ops));
}
static void __net_exit apparmor_nf_unregister(struct net *net)
{
+ if (lsm_exclusive_hooks != LSM_ID_APPARMOR)
+ return;
+
nf_unregister_net_hooks(net, apparmor_nf_ops,
ARRAY_SIZE(apparmor_nf_ops));
}
diff --git a/security/security.c b/security/security.c
index 25e7cfc96f20..754b16004677 100644
--- a/security/security.c
+++ b/security/security.c
@@ -4509,6 +4509,21 @@ void security_inet_conn_established(struct sock *sk,
}
EXPORT_SYMBOL(security_inet_conn_established);
+/**
+ * lsm_secmark_from_skb - secid for the specified LSM from the packet
+ * @skb: the packet
+ * @lsm: which LSM is asking
+ *
+ * If the specified LSM has use of the secmark, return its value.
+ * Otherwise, return the invalid secid 0.
+ */
+u32 lsm_secmark_from_skb(struct sk_buff *skb, const u64 lsmid)
+{
+ if (lsmid == lsm_exclusive_hooks)
+ return skb->secmark;
+ return 0;
+}
+
/**
* security_secmark_relabel_packet() - Check if setting a secmark is allowed
* @secid: new secmark value
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d053ce562370..1dff2121a834 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5269,6 +5269,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
int err = 0;
struct sk_security_struct *sksec = selinux_sock(sk);
u32 sk_sid = sksec->sid;
+ u32 secmark;
struct common_audit_data ad;
struct lsm_network_audit net;
char *addrp;
@@ -5279,7 +5280,8 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
return err;
if (selinux_secmark_enabled()) {
- err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
+ secmark = lsm_secmark_from_skb(skb, LSM_ID_SELINUX);
+ err = avc_has_perm(sk_sid, secmark, SECCLASS_PACKET,
PACKET__RECV, &ad);
if (err)
return err;
@@ -5299,6 +5301,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
struct sk_security_struct *sksec = selinux_sock(sk);
u16 family = sk->sk_family;
u32 sk_sid = sksec->sid;
+ u32 secmark;
struct common_audit_data ad;
struct lsm_network_audit net;
char *addrp;
@@ -5348,7 +5351,8 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
}
if (secmark_active) {
- err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
+ secmark = lsm_secmark_from_skb(skb, LSM_ID_SELINUX);
+ err = avc_has_perm(sk_sid, secmark, SECCLASS_PACKET,
PACKET__RECV, &ad);
if (err)
return err;
@@ -5850,6 +5854,7 @@ static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
int ifindex;
u16 family;
char *addrp;
+ u32 secmark;
u32 peer_sid;
struct common_audit_data ad;
struct lsm_network_audit net;
@@ -5883,10 +5888,12 @@ static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
}
}
- if (secmark_active)
- if (avc_has_perm(peer_sid, skb->secmark,
+ if (secmark_active) {
+ secmark = lsm_secmark_from_skb(skb, LSM_ID_SELINUX);
+ if (avc_has_perm(peer_sid, secmark,
SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
return NF_DROP;
+ }
if (netlbl_enabled())
/* we do this in the FORWARD path and not the POST_ROUTING
@@ -5950,6 +5957,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
struct common_audit_data ad;
struct lsm_network_audit net;
u8 proto = 0;
+ u32 secmark;
sk = skb_to_full_sk(skb);
if (sk == NULL)
@@ -5960,10 +5968,12 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
if (selinux_parse_skb(skb, &ad, NULL, 0, &proto))
return NF_DROP;
- if (selinux_secmark_enabled())
- if (avc_has_perm(sksec->sid, skb->secmark,
+ if (selinux_secmark_enabled()) {
+ secmark = lsm_secmark_from_skb(skb, LSM_ID_SELINUX);
+ if (avc_has_perm(sksec->sid, secmark,
SECCLASS_PACKET, PACKET__SEND, &ad))
return NF_DROP_ERR(-ECONNREFUSED);
+ }
if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
return NF_DROP_ERR(-ECONNREFUSED);
@@ -5978,6 +5988,7 @@ static unsigned int selinux_ip_postroute(void *priv,
u16 family;
u32 secmark_perm;
u32 peer_sid;
+ u32 secmark;
int ifindex;
struct sock *sk;
struct common_audit_data ad;
@@ -6082,10 +6093,12 @@ static unsigned int selinux_ip_postroute(void *priv,
if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
return NF_DROP;
- if (secmark_active)
- if (avc_has_perm(peer_sid, skb->secmark,
+ if (secmark_active) {
+ secmark = lsm_secmark_from_skb(skb, LSM_ID_SELINUX);
+ if (avc_has_perm(peer_sid, secmark,
SECCLASS_PACKET, secmark_perm, &ad))
return NF_DROP_ERR(-ECONNREFUSED);
+ }
if (peerlbl_active) {
u32 if_sid;
@@ -7718,12 +7731,18 @@ static const struct nf_hook_ops selinux_nf_ops[] = {
static int __net_init selinux_nf_register(struct net *net)
{
+ if (lsm_exclusive_hooks != LSM_ID_SELINUX)
+ return 0;
+
return nf_register_net_hooks(net, selinux_nf_ops,
ARRAY_SIZE(selinux_nf_ops));
}
static void __net_exit selinux_nf_unregister(struct net *net)
{
+ if (lsm_exclusive_hooks != LSM_ID_SELINUX)
+ return;
+
nf_unregister_net_hooks(net, selinux_nf_ops,
ARRAY_SIZE(selinux_nf_ops));
}
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 13fc712d5923..269ad09f8dca 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2189,6 +2189,9 @@ static void security_load_policycaps(struct selinux_policy *policy)
pr_info("SELinux: unknown policy capability %u\n",
i);
}
+ if (selinux_state.policycap[POLICYDB_CAP_ALWAYSNETWORK] &&
+ lsm_exclusive_hooks != LSM_ID_SELINUX)
+ pr_warn("SELinux: policy capability alwaysnetwork is set, but secmark is used by another LSM.\n");
}
static int security_preserve_bools(struct selinux_policy *oldpolicy,
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index a0bd4919a9d9..7a98dcc4c67d 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4195,10 +4195,12 @@ static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip)
#ifdef CONFIG_NETWORK_SECMARK
static struct smack_known *smack_from_skb(struct sk_buff *skb)
{
- if (skb == NULL || skb->secmark == 0)
+ u32 secmark = lsm_secmark_from_skb(skb, LSM_ID_SMACK);
+
+ if (skb == NULL || secmark == 0)
return NULL;
- return smack_from_secid(skb->secmark);
+ return smack_from_secid(secmark);
}
#else
static inline struct smack_known *smack_from_skb(struct sk_buff *skb)
diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
index 17ba578b1308..47426973843b 100644
--- a/security/smack/smack_netfilter.c
+++ b/security/smack/smack_netfilter.c
@@ -54,12 +54,18 @@ static const struct nf_hook_ops smack_nf_ops[] = {
static int __net_init smack_nf_register(struct net *net)
{
+ if (lsm_exclusive_hooks != LSM_ID_SMACK)
+ return 0;
+
return nf_register_net_hooks(net, smack_nf_ops,
ARRAY_SIZE(smack_nf_ops));
}
static void __net_exit smack_nf_unregister(struct net *net)
{
+ if (lsm_exclusive_hooks != LSM_ID_SMACK)
+ return;
+
nf_unregister_net_hooks(net, smack_nf_ops, ARRAY_SIZE(smack_nf_ops));
}
--
2.52.0
^ permalink raw reply related
* Re: [PATCH] ima: Add digest_size field to ima_algo_desc structure and use to show meas.
From: Mimi Zohar @ 2026-02-25 19:47 UTC (permalink / raw)
To: Roberto Sassu, dmitry.kasatkin, eric.snowberg, paul, jmorris,
serge
Cc: linux-integrity, linux-security-module, linux-kernel,
devnull+dima.arista.com, Roberto Sassu
In-Reply-To: <55905382b88f00de0d7a82aff0605b6d0d9a1e8c.camel@linux.ibm.com>
On Wed, 2026-02-25 at 13:37 -0500, Mimi Zohar wrote:
> On Wed, 2026-02-25 at 13:53 +0100, Roberto Sassu wrote:
> > From: Roberto Sassu <roberto.sassu@huawei.com>
> >
> > Add the digest_size field to the ima_algo_desc structure to determine the
> > digest size from the correct source.
> >
> > If the hash algorithm is among allocated PCR banks, take the value from the
> > TPM bank info; if the hash algorithm is SHA1, use the predefined value; if
> > the hash algorithm is the default one but not among the PCR banks, take the
> > digest size from the crypto subsystem (the default hash algorithm is
> > checked when parsing the ima_hash= command line option).
> >
> > Finally, use the new information to correctly show the template digest in
> > ima_measurements_show() and ima_ascii_measurements_show().
> >
> > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
>
> Thanks, Roberto. The patch looks fine, other than the patch title. Could it be
> renamed as "ima: define and use a digest_size field in the ima_algo_desc
> structure"?
The original design relied on the kernel's hash algorithm size. This patch
changes it to use the TPM's hash algorithm size, without comparing it to the
kernel's definition.
At minimum, this change in design should be noted above in the patch
description.
Mimi
^ permalink raw reply
* Re: [PATCH v5] ima_fs: Avoid creating measurement lists for unsupported hash algos
From: Mimi Zohar @ 2026-02-25 20:07 UTC (permalink / raw)
To: dima, Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Paul Moore,
James Morris, Serge E. Hallyn, Silvia Sisinni, Enrico Bravi
Cc: Jonathan McDowell, linux-integrity, linux-security-module,
linux-kernel, stable, Dmitry Safonov
In-Reply-To: <20260223-ima-oob-v5-1-91cc1064e767@arista.com>
On Mon, 2026-02-23 at 14:56 +0000, Dmitry Safonov via B4 Relay wrote:
> From: Dmitry Safonov <dima@arista.com>
>
> ima_tpm_chip->allocated_banks[i].crypto_id is initialized to
> HASH_ALGO__LAST if the TPM algorithm is not supported. However there
> are places relying on the algorithm to be valid because it is accessed
> by hash_algo_name[].
>
> On 6.12.40 I observe the following read out-of-bounds in hash_algo_name:
> ==================================================================
> BUG: KASAN: global-out-of-bounds in create_securityfs_measurement_lists+0x396/0x440
> Read of size 8 at addr ffffffff83e18138 by task swapper/0/1
>
> CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.40 #3
> Call Trace:
> <TASK>
> dump_stack_lvl+0x61/0x90
> print_report+0xc4/0x580
> ? kasan_addr_to_slab+0x26/0x80
> ? create_securityfs_measurement_lists+0x396/0x440
> kasan_report+0xc2/0x100
> ? create_securityfs_measurement_lists+0x396/0x440
> create_securityfs_measurement_lists+0x396/0x440
> ima_fs_init+0xa3/0x300
> ima_init+0x7d/0xd0
> init_ima+0x28/0x100
> do_one_initcall+0xa6/0x3e0
> kernel_init_freeable+0x455/0x740
> kernel_init+0x24/0x1d0
> ret_from_fork+0x38/0x80
> ret_from_fork_asm+0x11/0x20
> </TASK>
>
> The buggy address belongs to the variable:
> hash_algo_name+0xb8/0x420
>
> Memory state around the buggy address:
> ffffffff83e18000: 00 01 f9 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9
> ffffffff83e18080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >ffffffff83e18100: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 05 f9 f9
> ^
> ffffffff83e18180: f9 f9 f9 f9 00 00 00 00 00 00 00 04 f9 f9 f9 f9
> ffffffff83e18200: 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9
> ==================================================================
>
> Seems like the TPM chip supports sha3_256, which isn't yet in
> tpm_algorithms:
> tpm tpm0: TPM with unsupported bank algorithm 0x0027
>
> Thus solve the problem by creating a file name with "_tpm_alg_<ID>"
> postfix if the crypto algorithm isn't initialized.
>
> This is how it looks on the test machine (patch ported to v6.12 release):
> # ls -1 /sys/kernel/security/ima/
> ascii_runtime_measurements
> ascii_runtime_measurements_tpm_alg_27
> ascii_runtime_measurements_sha1
> ascii_runtime_measurements_sha256
> binary_runtime_measurements
> binary_runtime_measurements_tpm_alg_27
> binary_runtime_measurements_sha1
> binary_runtime_measurements_sha256
> policy
> runtime_measurements_count
> violations
When reposting this patch, on top of Roberto's patch, please include the name of
the TCG document, or a link to it, defining the algorithm id number here in the
patch description.
thanks,
Mimi
^ permalink raw reply
* Re: [PATCH v5] ima_fs: Avoid creating measurement lists for unsupported hash algos
From: Mimi Zohar @ 2026-02-25 20:36 UTC (permalink / raw)
To: dima, Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Paul Moore,
James Morris, Serge E. Hallyn, Silvia Sisinni, Enrico Bravi
Cc: Jonathan McDowell, linux-integrity, linux-security-module,
linux-kernel, stable, Dmitry Safonov
In-Reply-To: <20260223-ima-oob-v5-1-91cc1064e767@arista.com>
On Mon, 2026-02-23 at 14:56 +0000, Dmitry Safonov via B4 Relay wrote:
> From: Dmitry Safonov <dima@arista.com>
>
> ima_tpm_chip->allocated_banks[i].crypto_id is initialized to
> HASH_ALGO__LAST if the TPM algorithm is not supported. However there
> are places relying on the algorithm to be valid because it is accessed
> by hash_algo_name[].
If the TPM algorithm is not supported by whom? the kernel? HASH_ALGO__LAST is
defined in linux/hash_info.h. If the crypto algorithm is not supported by the
kernel, then the kernel won't be able to calculate the hash to extend the TPM.
> @@ -404,16 +398,24 @@ static int __init create_securityfs_measurement_lists(void)
> char file_name[NAME_MAX + 1];
> struct dentry *dentry;
>
> - sprintf(file_name, "ascii_runtime_measurements_%s",
> - hash_algo_name[algo]);
> + if (algo == HASH_ALGO__LAST)
> + sprintf(file_name, "ascii_runtime_measurements_tpm_alg_%x",
> + ima_tpm_chip->allocated_banks[i].alg_id);
> + else
> + sprintf(file_name, "ascii_runtime_measurements_%s",
> + hash_algo_name[algo]);
> dentry = securityfs_create_file(file_name, S_IRUSR | S_IRGRP,
> ima_dir, (void *)(uintptr_t)i,
> &ima_ascii_measurements_ops);
> if (IS_ERR(dentry))
> return PTR_ERR(dentry);
>
> - sprintf(file_name, "binary_runtime_measurements_%s",
> - hash_algo_name[algo]);
> + if (algo == HASH_ALGO__LAST)
> + sprintf(file_name, "binary_runtime_measurements_tpm_alg_%x",
> + ima_tpm_chip->allocated_banks[i].alg_id);
There's no point in creating either of the securityfs files if the kernel
doesn't support the hash algorithm.
Mimi
> + else
> + sprintf(file_name, "binary_runtime_measurements_%s",
> + hash_algo_name[algo]);
> dentry = securityfs_create_file(file_name, S_IRUSR | S_IRGRP,
> ima_dir, (void *)(uintptr_t)i,
> &ima_measurements_ops);
^ permalink raw reply
* Re: [PATCH v2 1/2] landlock: Serialize TSYNC thread restriction
From: Günther Noack @ 2026-02-25 22:33 UTC (permalink / raw)
To: Günther Noack
Cc: Yihan Ding, Mickaël Salaün, Paul Moore, Jann Horn,
linux-security-module, linux-kernel, syzbot+7ea2f5e9dfd468201817
In-Reply-To: <aZ7l6jU7XJ1BYbN-@google.com>
On Wed, Feb 25, 2026 at 01:07:26PM +0100, Günther Noack wrote:
> On Wed, Feb 25, 2026 at 10:47:33AM +0800, Yihan Ding wrote:
> > syzbot found a deadlock in landlock_restrict_sibling_threads().
> > When multiple threads concurrently call landlock_restrict_self() with
> > sibling thread restriction enabled, they can deadlock by mutually
> > queueing task_works on each other and then blocking in kernel space
> > (waiting for the other to finish).
> >
> > Fix this by serializing the TSYNC operations within the same process
> > using the exec_update_lock. This prevents concurrent invocations
> > from deadlocking. We use down_write_killable() to ensure the thread
> > remains responsive to fatal signals while waiting for the lock.
> >
> > Fixes: 42fc7e6543f6 ("landlock: Multithreading support for landlock_restrict_self()")
> > Reported-by: syzbot+7ea2f5e9dfd468201817@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=7ea2f5e9dfd468201817
> > Suggested-by: Günther Noack <gnoack3000@gmail.com>
> > Signed-off-by: Yihan Ding <dingyihan@uniontech.com>
> > ---
> > security/landlock/tsync.c | 8 ++++++++
> > 1 file changed, 8 insertions(+)
> >
> > diff --git a/security/landlock/tsync.c b/security/landlock/tsync.c
> > index de01aa899751..420fcfc2fe9a 100644
> > --- a/security/landlock/tsync.c
> > +++ b/security/landlock/tsync.c
> > @@ -447,6 +447,13 @@ int landlock_restrict_sibling_threads(const struct cred *old_cred,
> > shared_ctx.new_cred = new_cred;
> > shared_ctx.set_no_new_privs = task_no_new_privs(current);
> >
> > + /*
> > + * Serialize concurrent TSYNC operations to prevent deadlocks
> > + * when multiple threads call landlock_restrict_self() simultaneously.
> > + */
> > + if (down_write_killable(¤t->signal->exec_update_lock))
> > + return -EINTR;
> > +
> > /*
> > * We schedule a pseudo-signal task_work for each of the calling task's
> > * sibling threads. In the task work, each thread:
> > @@ -556,6 +563,7 @@ int landlock_restrict_sibling_threads(const struct cred *old_cred,
> > wait_for_completion(&shared_ctx.all_finished);
> >
> > tsync_works_release(&works);
> > + up_write(¤t->signal->exec_update_lock);
> >
> > return atomic_read(&shared_ctx.preparation_error);
> > }
> > --
> > 2.51.0
> >
>
> Thank you!
>
> Reviewed-by: Günther Noack <gnoack@google.com>
Hello Yihan Ding!
Apologies, I have to take this back -- applying the patch in this form
would be a mistake. When I tried this out with the Syzkaller test
case, I noticed that the tests started taking multiple seconds per
run. The way I reproduced it was by running the Syzkaller reproducer
under Qemu and looking for the frequency of the "executing program"
lines that it prints for each test run.
When I looked deeper, what was happening was actually that we got
ourselves into a deadlock again, which, in hindsight should have been
obvious: When two threads call landlock_restrict_self() roughly at the
same time, then the one that grabs the lock first will (a) keep the
other (killably) blocked on the lock acquisition, and (b) later ask
the other thread to run a task work. But in order to run a task work,
the blocked thread must first return from the syscall. However,
down_write_killable() only returns when either the lock is available
or when the thread was killed.
To resolve this, we need to actually use a lock acquisition that
respects other ways of interruption as well; we can either use a
down_write_trylock() and return -ERESTARTNOINTR, or we can use
down_write_interruptible().
Sorry for the poor advice to use the _killable variant earlier. Could
I ask you to please send another revision using _trylock() or
_interruptible()?
Thanks,
–Günther
^ permalink raw reply
* Re: LSM namespacing API
From: Paul Moore @ 2026-02-26 0:05 UTC (permalink / raw)
To: linux-security-module, selinux; +Cc: John Johansen, Stephen Smalley
In-Reply-To: <CAHC9VhRGMmhxbajwQNfGFy+ZFF1uN=UEBjqQZQ4UBy7yds3eVQ@mail.gmail.com>
On Tue, Aug 19, 2025 at 10:56 AM Paul Moore <paul@paul-moore.com> wrote:
>
> Hello all,
>
> As most of you are likely aware, Stephen Smalley has been working on
> adding namespace support to SELinux, and the work has now progressed
> to the point where a serious discussion on the API is warranted ...
I spent a few hours this afternoon re-reading this thread and tweaking
the original proposal to address everything discussed. The revised
proposal is below, with a bit more detail than before, please take a
look and let us all know what you think ...
* lsm_set_self_attr(LSM_ATTR_CLONE_NEWLSM) and clone(CLONE_NEWLSM)
We would define a new LSM_ATTR flag, LSM_ATTR_CLONE_NEWLSM, which
could be used with lsm_set_self_attr() to request that an individual
LSM create a new LSM specific namespace on the next
clone(CLONE_NEWLSM) call. LSMs may choose to perform various sanity
and authorization checks at lsm_set_self_attr() time, but they must
refrain from creating a new LSM namespace until clone() is called.
LSMs may also want to ensure that any state associated with an
lsm_set_self_attr(LSM_ATTR_CLONE_NEWLSM) request is not carried across
an exec() boundary, however, that decision is left to the individual
LSMs.
We would define a new clone() flag, CLONE_NEWLSM, which would trigger
a call into the LSM framework to invoke LSM specific callbacks to
perform namespace actions specified either by the LSM's policy or an
explicit lsm_set_self_attr(LSM_ATTR_CLONE_NEWLSM) request.
As with the existing LSM_ATTR support, this is strictly an opt-in
mechanism and individual LSMs are left to handle this request as they
see fit.
The lsm_get_self_attr() syscall could be used to get the
LSM_ATTR_CLONE_NEWLSM value(s) for the current process just like any
other LSM_ATTR flag.
* lsm_set_self_attr(LSM_ATTR_UNSHARE_NEWLSM) and unshare(CLONE_NEWLSM)
This would behave similarly to LSM_ATTR_CLONE_NEWLSM, but the LSM
namespace changes would take place during an unshare() call as opposed
to a clone() call. This is kept separate from the
LSM_ATTR_CLONE_NEWLSM flag because the behaviors are quite different:
one creates a process with a new LSM namespace set, while the other
changes the LSM namespace set of a running process.
LSMs are free to implement support for either LSM_ATTR flag, both, or
none at all.
* /proc/pid/ns/lsm and setns(CLONE_NEWLSM)
The /proc/pid/ns/lsm file serves as a link/handle to the specific LSM
namespace set in use for the given process. A process wishing to move
into the same LSM namespace set as another process can use this
link/handle (or a pidfd) and setns(CLONE_NEWLSM) to change its own LSM
namespace set. It is important to note that using setns() it should
not be possible to change the individual LSMs that are part of the LSM
namespace set, the calling process' LSM namespace is set to the exact
same LSM namespace set as the specified process.
Affected LSMs may choose to enforce access controls on the
setns(CLONE_NEWLSM) operation according to their own policy.
* Policy considerations
The mechanisms above provide for three different scenarios: a new
process creating a new LSM namespace set (the clone case), an existing
process creating a new LSM namespace set (the unshare case), and an
existing process joining an existing LSM namespace set (the setns
case).
In the clone case a new LSM namespace set will be created when the
process itself is created. It is up to the individual LSMs to
properly initialize their own namespaces and load any required
policies. Since the new LSM namespaces are created at clone() time
and before exec(), the calling process, or another trusted process
using a new yet-to-be-finalized API, should be able to configure the
newly created LSM namespace before exec().
The unshare case is similar to clone because a new LSM namespace set
is created, but it is a bit more challenging because unshare()
modifies the calling process's LSM namespace set, not a newly created
child process'. For simpler LSMs this might not pose a problem, but
for more complex LSMs, developing meaningful applications that use
unshare(CLONE_NEWLSM) and properly initialize/setup the new LSM
namespace set may prove challenging. Developing applications that use
clone(CLONE_NEWLSM) will likely be much easier.
In the setns case the process joins a properly configured LSM
namespace set with all necessary LSM policies loaded, there shouldn't
be any additional LSM setup required (although the work to change the
individual LSM namespaces on a running process may prove difficult).
--
paul-moore.com
^ permalink raw reply
* Re: [PATCH v2 1/2] landlock: Serialize TSYNC thread restriction
From: Ding Yihan @ 2026-02-26 1:43 UTC (permalink / raw)
To: Günther Noack, Günther Noack
Cc: Mickaël Salaün, Paul Moore, Jann Horn,
linux-security-module, linux-kernel, syzbot+7ea2f5e9dfd468201817
In-Reply-To: <20260225.42330125301c@gnoack.org>
Hi Günther, great catch with the QEMU test! Returning -ERESTARTNOINTR via down_write_trylock()
is indeed the perfect way to allow the blocked thread to process the TWA_SIGNAL and retry.
I have sent v3 with this update.
在 2026/2/26 06:33, Günther Noack 写道:
> On Wed, Feb 25, 2026 at 01:07:26PM +0100, Günther Noack wrote:
>> On Wed, Feb 25, 2026 at 10:47:33AM +0800, Yihan Ding wrote:
>>> syzbot found a deadlock in landlock_restrict_sibling_threads().
>>> When multiple threads concurrently call landlock_restrict_self() with
>>> sibling thread restriction enabled, they can deadlock by mutually
>>> queueing task_works on each other and then blocking in kernel space
>>> (waiting for the other to finish).
>>>
>>> Fix this by serializing the TSYNC operations within the same process
>>> using the exec_update_lock. This prevents concurrent invocations
>>> from deadlocking. We use down_write_killable() to ensure the thread
>>> remains responsive to fatal signals while waiting for the lock.
>>>
>>> Fixes: 42fc7e6543f6 ("landlock: Multithreading support for landlock_restrict_self()")
>>> Reported-by: syzbot+7ea2f5e9dfd468201817@syzkaller.appspotmail.com
>>> Closes: https://syzkaller.appspot.com/bug?extid=7ea2f5e9dfd468201817
>>> Suggested-by: Günther Noack <gnoack3000@gmail.com>
>>> Signed-off-by: Yihan Ding <dingyihan@uniontech.com>
>>> ---
>>> security/landlock/tsync.c | 8 ++++++++
>>> 1 file changed, 8 insertions(+)
>>>
>>> diff --git a/security/landlock/tsync.c b/security/landlock/tsync.c
>>> index de01aa899751..420fcfc2fe9a 100644
>>> --- a/security/landlock/tsync.c
>>> +++ b/security/landlock/tsync.c
>>> @@ -447,6 +447,13 @@ int landlock_restrict_sibling_threads(const struct cred *old_cred,
>>> shared_ctx.new_cred = new_cred;
>>> shared_ctx.set_no_new_privs = task_no_new_privs(current);
>>>
>>> + /*
>>> + * Serialize concurrent TSYNC operations to prevent deadlocks
>>> + * when multiple threads call landlock_restrict_self() simultaneously.
>>> + */
>>> + if (down_write_killable(¤t->signal->exec_update_lock))
>>> + return -EINTR;
>>> +
>>> /*
>>> * We schedule a pseudo-signal task_work for each of the calling task's
>>> * sibling threads. In the task work, each thread:
>>> @@ -556,6 +563,7 @@ int landlock_restrict_sibling_threads(const struct cred *old_cred,
>>> wait_for_completion(&shared_ctx.all_finished);
>>>
>>> tsync_works_release(&works);
>>> + up_write(¤t->signal->exec_update_lock);
>>>
>>> return atomic_read(&shared_ctx.preparation_error);
>>> }
>>> --
>>> 2.51.0
>>>
>>
>> Thank you!
>>
>> Reviewed-by: Günther Noack <gnoack@google.com>
>
> Hello Yihan Ding!
>
> Apologies, I have to take this back -- applying the patch in this form
> would be a mistake. When I tried this out with the Syzkaller test
> case, I noticed that the tests started taking multiple seconds per
> run. The way I reproduced it was by running the Syzkaller reproducer
> under Qemu and looking for the frequency of the "executing program"
> lines that it prints for each test run.
>
> When I looked deeper, what was happening was actually that we got
> ourselves into a deadlock again, which, in hindsight should have been
> obvious: When two threads call landlock_restrict_self() roughly at the
> same time, then the one that grabs the lock first will (a) keep the
> other (killably) blocked on the lock acquisition, and (b) later ask
> the other thread to run a task work. But in order to run a task work,
> the blocked thread must first return from the syscall. However,
> down_write_killable() only returns when either the lock is available
> or when the thread was killed.
>
> To resolve this, we need to actually use a lock acquisition that
> respects other ways of interruption as well; we can either use a
> down_write_trylock() and return -ERESTARTNOINTR, or we can use
> down_write_interruptible().
>
> Sorry for the poor advice to use the _killable variant earlier. Could
> I ask you to please send another revision using _trylock() or
> _interruptible()?
>
> Thanks,
> –Günther
>
^ permalink raw reply
* [PATCH v3 0/2] landlock: Fix TSYNC deadlock and clean up error path
From: Yihan Ding @ 2026-02-26 1:51 UTC (permalink / raw)
To: Mickaël Salaün, Günther Noack
Cc: Paul Moore, Jann Horn, linux-security-module, linux-kernel,
syzbot+7ea2f5e9dfd468201817
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=y, Size: 1790 bytes --]
Hello,
This patch series fixes a deadlock in the Landlock TSYNC multithreading
support, originally reported by syzbot, and cleans up the associated
interrupt recovery path.
The deadlock occurs when multiple threads concurrently call
landlock_restrict_self() with sibling thread restriction enabled,
causing them to mutually queue task_works on each other and block
indefinitely.
* Patch 1 fixes the root cause by serializing the TSYNC operations
within the same process using the exec_update_lock.
* Patch 2 cleans up the interrupt recovery path by replacing an
unnecessary wait_for_completion() with a straightforward loop break,
avoiding Use-After-Free while unblocking remaining task_works.
Changes in v3:
- Patch 1: Changed down_write_killable() to down_write_trylock() and
return -ERESTARTNOINTR on failure. This avoids a secondary deadlock
where a blocking wait prevents a sibling thread from waking up to
execute the requested TSYNC task_work. (Noted by Günther Noack.
down_write_interruptible() was also suggested but is not implemented
for rw_semaphores in the kernel).
- Patch 2: No changes.
Changes in v2:
- Split the changes into a 2-patch series.
- Patch 1: Adopted down_write_killable() instead of down_write().
- Patch 2: Removed wait_for_completion(&shared_ctx.all_prepared) and
replaced it with a `break` to prevent UAF.
Link to v2: https://lore.kernel.org/all/20260225024734.3024732-1-dingyihan@uniontech.com/
Link to v1: https://lore.kernel.org/all/20260224062729.2908692-1-dingyihan@uniontech.com/
Yihan Ding (2):
landlock: Serialize TSYNC thread restriction
landlock: Clean up interrupted thread logic in TSYNC
security/landlock/tsync.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
--
2.51.0
^ permalink raw reply
* [PATCH v3 0/2] landlock: Fix TSYNC deadlock and clean up error path
From: Yihan Ding @ 2026-02-26 1:52 UTC (permalink / raw)
To: Mickaël Salaün, Günther Noack
Cc: Paul Moore, Jann Horn, linux-security-module, linux-kernel,
syzbot+7ea2f5e9dfd468201817
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=y, Size: 1790 bytes --]
Hello,
This patch series fixes a deadlock in the Landlock TSYNC multithreading
support, originally reported by syzbot, and cleans up the associated
interrupt recovery path.
The deadlock occurs when multiple threads concurrently call
landlock_restrict_self() with sibling thread restriction enabled,
causing them to mutually queue task_works on each other and block
indefinitely.
* Patch 1 fixes the root cause by serializing the TSYNC operations
within the same process using the exec_update_lock.
* Patch 2 cleans up the interrupt recovery path by replacing an
unnecessary wait_for_completion() with a straightforward loop break,
avoiding Use-After-Free while unblocking remaining task_works.
Changes in v3:
- Patch 1: Changed down_write_killable() to down_write_trylock() and
return -ERESTARTNOINTR on failure. This avoids a secondary deadlock
where a blocking wait prevents a sibling thread from waking up to
execute the requested TSYNC task_work. (Noted by Günther Noack.
down_write_interruptible() was also suggested but is not implemented
for rw_semaphores in the kernel).
- Patch 2: No changes.
Changes in v2:
- Split the changes into a 2-patch series.
- Patch 1: Adopted down_write_killable() instead of down_write().
- Patch 2: Removed wait_for_completion(&shared_ctx.all_prepared) and
replaced it with a `break` to prevent UAF.
Link to v2: https://lore.kernel.org/all/20260225024734.3024732-1-dingyihan@uniontech.com/
Link to v1: https://lore.kernel.org/all/20260224062729.2908692-1-dingyihan@uniontech.com/
Yihan Ding (2):
landlock: Serialize TSYNC thread restriction
landlock: Clean up interrupted thread logic in TSYNC
security/landlock/tsync.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
--
2.51.0
^ permalink raw reply
* [PATCH v3 0/2] landlock: Fix TSYNC deadlock and clean up error path
From: Yihan Ding @ 2026-02-26 1:59 UTC (permalink / raw)
To: Mickaël Salaün, Günther Noack
Cc: Paul Moore, Jann Horn, linux-security-module, linux-kernel,
syzbot+7ea2f5e9dfd468201817
Hello,
This patch series fixes a deadlock in the Landlock TSYNC multithreading
support, originally reported by syzbot, and cleans up the associated
interrupt recovery path.
The deadlock occurs when multiple threads concurrently call
landlock_restrict_self() with sibling thread restriction enabled,
causing them to mutually queue task_works on each other and block
indefinitely.
* Patch 1 fixes the root cause by serializing the TSYNC operations
within the same process using the exec_update_lock.
* Patch 2 cleans up the interrupt recovery path by replacing an
unnecessary wait_for_completion() with a straightforward loop break,
avoiding Use-After-Free while unblocking remaining task_works.
Changes in v3:
- Patch 1: Changed down_write_killable() to down_write_trylock() and
return -ERESTARTNOINTR on failure. This avoids a secondary deadlock
where a blocking wait prevents a sibling thread from waking up to
execute the requested TSYNC task_work. (Noted by Günther Noack.
down_write_interruptible() was also suggested but is not implemented
for rw_semaphores in the kernel).
- Patch 2: No changes.
Changes in v2:
- Split the changes into a 2-patch series.
- Patch 1: Adopted down_write_killable() instead of down_write().
- Patch 2: Removed wait_for_completion(&shared_ctx.all_prepared) and
replaced it with a `break` to prevent UAF.
Link to v2: https://lore.kernel.org/all/20260225024734.3024732-1-dingyihan@uniontech.com/
Link to v1: https://lore.kernel.org/all/20260224062729.2908692-1-dingyihan@uniontech.com/
Yihan Ding (2):
landlock: Serialize TSYNC thread restriction
landlock: Clean up interrupted thread logic in TSYNC
security/landlock/tsync.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
--
2.51.0
^ permalink raw reply
* [PATCH v3 2/2] landlock: Clean up interrupted thread logic in TSYNC
From: Yihan Ding @ 2026-02-26 1:59 UTC (permalink / raw)
To: Mickaël Salaün, Günther Noack
Cc: Paul Moore, Jann Horn, linux-security-module, linux-kernel,
syzbot+7ea2f5e9dfd468201817, Yihan Ding
In-Reply-To: <20260226015903.3158620-1-dingyihan@uniontech.com>
In landlock_restrict_sibling_threads(), when the calling thread is
interrupted while waiting for sibling threads to prepare, it executes
a recovery path.
Previously, this path included a wait_for_completion() call on
all_prepared to prevent a Use-After-Free of the local shared_ctx.
However, this wait is redundant. Exiting the main do-while loop
already leads to a bottom cleanup section that unconditionally waits
for all_finished. Therefore, replacing the wait with a simple break
is safe, prevents UAF, and correctly unblocks the remaining task_works.
Clean up the error path by breaking the loop and updating the
surrounding comments to accurately reflect the state machine.
Suggested-by: Günther Noack <gnoack3000@gmail.com>
Signed-off-by: Yihan Ding <dingyihan@uniontech.com>
---
Change in v3:
-No change in v3
Changes in v2:
- Replaced wait_for_completion(&shared_ctx.all_prepared) with a break
statement based on the realization that the bottom wait for 'all_finished'
already guards against UAF.
- Updated comments for clarity.
---
security/landlock/tsync.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/security/landlock/tsync.c b/security/landlock/tsync.c
index 420fcfc2fe9a..9731ec7f329a 100644
--- a/security/landlock/tsync.c
+++ b/security/landlock/tsync.c
@@ -534,24 +534,28 @@ int landlock_restrict_sibling_threads(const struct cred *old_cred,
-ERESTARTNOINTR);
/*
- * Cancel task works for tasks that did not start running yet,
- * and decrement all_prepared and num_unfinished accordingly.
+ * Opportunistic improvement: try to cancel task works
+ * for tasks that did not start running yet. We do not
+ * have a guarantee that it cancels any of the enqueued
+ * task works (because task_work_run() might already have
+ * dequeued them).
*/
cancel_tsync_works(&works, &shared_ctx);
/*
- * The remaining task works have started running, so waiting for
- * their completion will finish.
+ * Break the loop with error. The cleanup code after the loop
+ * unblocks the remaining task_works.
*/
- wait_for_completion(&shared_ctx.all_prepared);
+ break;
}
}
} while (found_more_threads &&
!atomic_read(&shared_ctx.preparation_error));
/*
- * We now have all sibling threads blocking and in "prepared" state in the
- * task work. Ask all threads to commit.
+ * We now have either (a) all sibling threads blocking and in
+ * "prepared" state in the task work, or (b) the preparation error is
+ * set. Ask all threads to commit (or abort).
*/
complete_all(&shared_ctx.ready_to_commit);
--
2.51.0
^ permalink raw reply related
* [PATCH v3 1/2] landlock: Serialize TSYNC thread restriction
From: Yihan Ding @ 2026-02-26 1:59 UTC (permalink / raw)
To: Mickaël Salaün, Günther Noack
Cc: Paul Moore, Jann Horn, linux-security-module, linux-kernel,
syzbot+7ea2f5e9dfd468201817, Yihan Ding
In-Reply-To: <20260226015903.3158620-1-dingyihan@uniontech.com>
syzbot found a deadlock in landlock_restrict_sibling_threads().
When multiple threads concurrently call landlock_restrict_self() with
sibling thread restriction enabled, they can deadlock by mutually
queueing task_works on each other and then blocking in kernel space
(waiting for the other to finish).
Fix this by serializing the TSYNC operations within the same process
using the exec_update_lock. This prevents concurrent invocations
from deadlocking.
We use down_write_trylock() and return -ERESTARTNOINTR if the lock
cannot be acquired immediately. This ensures that if a thread fails
to get the lock, it will return to userspace, allowing it to process
any pending TSYNC task_works from the lock holder, and then
transparently restart the syscall.
Fixes: 42fc7e6543f6 ("landlock: Multithreading support for landlock_restrict_self()")
Reported-by: syzbot+7ea2f5e9dfd468201817@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7ea2f5e9dfd468201817
Suggested-by: Günther Noack <gnoack3000@gmail.com>
Signed-off-by: Yihan Ding <dingyihan@uniontech.com>
---
Changes in v3:
- Replaced down_write_killable() with down_write_trylock() and
returned -ERESTARTNOINTR to avoid a secondary deadlock caused by
blocking the execution of task_works. (Caught by Günther Noack).
Changes in v2:
- Use down_write_killable() instead of down_write().
- Split the interrupt path cleanup into a separate patch.
---
security/landlock/tsync.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/security/landlock/tsync.c b/security/landlock/tsync.c
index de01aa899751..xxxxxxxxxxxx 100644
--- a/security/landlock/tsync.c
+++ b/security/landlock/tsync.c
@@ -447,6 +447,13 @@ int landlock_restrict_sibling_threads(const struct cred *old_cred,
shared_ctx.new_cred = new_cred;
shared_ctx.set_no_new_privs = task_no_new_privs(current);
+ /*
+ * Serialize concurrent TSYNC operations to prevent deadlocks
+ * when multiple threads call landlock_restrict_self() simultaneously.
+ */
+ if (!down_write_trylock(¤t->signal->exec_update_lock))
+ return -ERESTARTNOINTR;
+
/*
* We schedule a pseudo-signal task_work for each of the calling task's
* sibling threads. In the task work, each thread:
@@ -556,6 +563,7 @@ int landlock_restrict_sibling_threads(const struct cred *old_cred,
wait_for_completion(&shared_ctx.all_finished);
tsync_works_release(&works);
+ up_write(¤t->signal->exec_update_lock);
return atomic_read(&shared_ctx.preparation_error);
}
--
2.51.0
^ permalink raw reply
* [PATCH 0/2] efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG
From: Thomas Weißschuh @ 2026-02-26 7:20 UTC (permalink / raw)
To: Mimi Zohar, Roberto Sassu, Dmitry Kasatkin, Eric Snowberg,
Paul Moore, James Morris, Serge E. Hallyn, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Christophe Leroy (CS GROUP)
Cc: linux-integrity, linux-security-module, linux-kernel,
linuxppc-dev, Thomas Weißschuh, Aaron Tomlin, Nicolas Schier
When configuration settings are disabled the guarded functions are
defined as empty stubs, so the check is unnecessary.
This was originally part of my CONFIG_MODULE_HASHES[0] series,
but as I am dropping IMA compatibility for now, these patches
can go in independently.
[0] https://lore.kernel.org/lkml/20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net/
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
---
Thomas Weißschuh (2):
ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG
powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG
arch/powerpc/kernel/ima_arch.c | 3 +--
security/integrity/ima/ima_efi.c | 6 ++----
2 files changed, 3 insertions(+), 6 deletions(-)
---
base-commit: 6de23f81a5e08be8fbf5e8d7e9febc72a5b5f27f
change-id: 20260225-ima-ifdef-978960c0f00e
Best regards,
--
Thomas Weißschuh <linux@weissschuh.net>
^ permalink raw reply
* [PATCH 2/2] powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG
From: Thomas Weißschuh @ 2026-02-26 7:20 UTC (permalink / raw)
To: Mimi Zohar, Roberto Sassu, Dmitry Kasatkin, Eric Snowberg,
Paul Moore, James Morris, Serge E. Hallyn, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Christophe Leroy (CS GROUP)
Cc: linux-integrity, linux-security-module, linux-kernel,
linuxppc-dev, Thomas Weißschuh, Aaron Tomlin, Nicolas Schier
In-Reply-To: <20260226-ima-ifdef-v1-0-8b9613edbbdb@weissschuh.net>
When CONFIG_MODULE_SIG is disabled set_module_sig_enforced() is defined
as an empty stub, so the check is unnecessary.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Aaron Tomlin <atomlin@atomlin.com>
Reviewed-by: Nicolas Schier <nsc@kernel.org>
---
arch/powerpc/kernel/ima_arch.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
index b7029beed847..690263bf4265 100644
--- a/arch/powerpc/kernel/ima_arch.c
+++ b/arch/powerpc/kernel/ima_arch.c
@@ -63,8 +63,7 @@ static const char *const secure_and_trusted_rules[] = {
const char *const *arch_get_ima_policy(void)
{
if (is_ppc_secureboot_enabled()) {
- if (IS_ENABLED(CONFIG_MODULE_SIG))
- set_module_sig_enforced();
+ set_module_sig_enforced();
if (is_ppc_trustedboot_enabled())
return secure_and_trusted_rules;
--
2.53.0
^ permalink raw reply related
* [PATCH 1/2] ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG
From: Thomas Weißschuh @ 2026-02-26 7:20 UTC (permalink / raw)
To: Mimi Zohar, Roberto Sassu, Dmitry Kasatkin, Eric Snowberg,
Paul Moore, James Morris, Serge E. Hallyn, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Christophe Leroy (CS GROUP)
Cc: linux-integrity, linux-security-module, linux-kernel,
linuxppc-dev, Thomas Weißschuh, Aaron Tomlin, Nicolas Schier
In-Reply-To: <20260226-ima-ifdef-v1-0-8b9613edbbdb@weissschuh.net>
When configuration settings are disabled the guarded functions are
defined as empty stubs, so the check is unnecessary.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Aaron Tomlin <atomlin@atomlin.com>
Reviewed-by: Nicolas Schier <nsc@kernel.org>
---
security/integrity/ima/ima_efi.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c
index 138029bfcce1..a35dd166ad47 100644
--- a/security/integrity/ima/ima_efi.c
+++ b/security/integrity/ima/ima_efi.c
@@ -68,10 +68,8 @@ static const char * const sb_arch_rules[] = {
const char * const *arch_get_ima_policy(void)
{
if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
- if (IS_ENABLED(CONFIG_MODULE_SIG))
- set_module_sig_enforced();
- if (IS_ENABLED(CONFIG_KEXEC_SIG))
- set_kexec_sig_enforced();
+ set_module_sig_enforced();
+ set_kexec_sig_enforced();
return sb_arch_rules;
}
return NULL;
--
2.53.0
^ permalink raw reply related
* Re: [PATCH v3 1/2] landlock: Serialize TSYNC thread restriction
From: Günther Noack @ 2026-02-26 7:23 UTC (permalink / raw)
To: Yihan Ding
Cc: Mickaël Salaün, Paul Moore, Jann Horn,
linux-security-module, linux-kernel, syzbot+7ea2f5e9dfd468201817
In-Reply-To: <20260226015903.3158620-2-dingyihan@uniontech.com>
On Thu, Feb 26, 2026 at 09:59:02AM +0800, Yihan Ding wrote:
> syzbot found a deadlock in landlock_restrict_sibling_threads().
> When multiple threads concurrently call landlock_restrict_self() with
> sibling thread restriction enabled, they can deadlock by mutually
> queueing task_works on each other and then blocking in kernel space
> (waiting for the other to finish).
>
> Fix this by serializing the TSYNC operations within the same process
> using the exec_update_lock. This prevents concurrent invocations
> from deadlocking.
>
> We use down_write_trylock() and return -ERESTARTNOINTR if the lock
> cannot be acquired immediately. This ensures that if a thread fails
> to get the lock, it will return to userspace, allowing it to process
> any pending TSYNC task_works from the lock holder, and then
> transparently restart the syscall.
>
> Fixes: 42fc7e6543f6 ("landlock: Multithreading support for landlock_restrict_self()")
> Reported-by: syzbot+7ea2f5e9dfd468201817@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=7ea2f5e9dfd468201817
> Suggested-by: Günther Noack <gnoack3000@gmail.com>
> Signed-off-by: Yihan Ding <dingyihan@uniontech.com>
> ---
> Changes in v3:
> - Replaced down_write_killable() with down_write_trylock() and
> returned -ERESTARTNOINTR to avoid a secondary deadlock caused by
> blocking the execution of task_works. (Caught by Günther Noack).
>
> Changes in v2:
> - Use down_write_killable() instead of down_write().
> - Split the interrupt path cleanup into a separate patch.
> ---
> security/landlock/tsync.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/security/landlock/tsync.c b/security/landlock/tsync.c
> index de01aa899751..xxxxxxxxxxxx 100644
> --- a/security/landlock/tsync.c
> +++ b/security/landlock/tsync.c
> @@ -447,6 +447,13 @@ int landlock_restrict_sibling_threads(const struct cred *old_cred,
> shared_ctx.new_cred = new_cred;
> shared_ctx.set_no_new_privs = task_no_new_privs(current);
>
> + /*
> + * Serialize concurrent TSYNC operations to prevent deadlocks
> + * when multiple threads call landlock_restrict_self() simultaneously.
> + */
> + if (!down_write_trylock(¤t->signal->exec_update_lock))
> + return -ERESTARTNOINTR;
> +
> /*
> * We schedule a pseudo-signal task_work for each of the calling task's
> * sibling threads. In the task work, each thread:
> @@ -556,6 +563,7 @@ int landlock_restrict_sibling_threads(const struct cred *old_cred,
> wait_for_completion(&shared_ctx.all_finished);
>
> tsync_works_release(&works);
> + up_write(¤t->signal->exec_update_lock);
>
> return atomic_read(&shared_ctx.preparation_error);
> }
> --
> 2.51.0
>
Reviewed-by: Günther Noack <gnoack3000@gmail.com>
^ permalink raw reply
* Re: [PATCH v3 2/2] landlock: Clean up interrupted thread logic in TSYNC
From: Günther Noack @ 2026-02-26 7:23 UTC (permalink / raw)
To: Yihan Ding
Cc: Mickaël Salaün, Paul Moore, Jann Horn,
linux-security-module, linux-kernel, syzbot+7ea2f5e9dfd468201817
In-Reply-To: <20260226015903.3158620-3-dingyihan@uniontech.com>
On Thu, Feb 26, 2026 at 09:59:03AM +0800, Yihan Ding wrote:
> In landlock_restrict_sibling_threads(), when the calling thread is
> interrupted while waiting for sibling threads to prepare, it executes
> a recovery path.
>
> Previously, this path included a wait_for_completion() call on
> all_prepared to prevent a Use-After-Free of the local shared_ctx.
> However, this wait is redundant. Exiting the main do-while loop
> already leads to a bottom cleanup section that unconditionally waits
> for all_finished. Therefore, replacing the wait with a simple break
> is safe, prevents UAF, and correctly unblocks the remaining task_works.
>
> Clean up the error path by breaking the loop and updating the
> surrounding comments to accurately reflect the state machine.
>
> Suggested-by: Günther Noack <gnoack3000@gmail.com>
> Signed-off-by: Yihan Ding <dingyihan@uniontech.com>
> ---
> Change in v3:
> -No change in v3
>
> Changes in v2:
> - Replaced wait_for_completion(&shared_ctx.all_prepared) with a break
> statement based on the realization that the bottom wait for 'all_finished'
> already guards against UAF.
> - Updated comments for clarity.
> ---
> security/landlock/tsync.c | 18 +++++++++++-------
> 1 file changed, 11 insertions(+), 7 deletions(-)
>
> diff --git a/security/landlock/tsync.c b/security/landlock/tsync.c
> index 420fcfc2fe9a..9731ec7f329a 100644
> --- a/security/landlock/tsync.c
> +++ b/security/landlock/tsync.c
> @@ -534,24 +534,28 @@ int landlock_restrict_sibling_threads(const struct cred *old_cred,
> -ERESTARTNOINTR);
>
> /*
> - * Cancel task works for tasks that did not start running yet,
> - * and decrement all_prepared and num_unfinished accordingly.
> + * Opportunistic improvement: try to cancel task works
> + * for tasks that did not start running yet. We do not
> + * have a guarantee that it cancels any of the enqueued
> + * task works (because task_work_run() might already have
> + * dequeued them).
> */
> cancel_tsync_works(&works, &shared_ctx);
>
> /*
> - * The remaining task works have started running, so waiting for
> - * their completion will finish.
> + * Break the loop with error. The cleanup code after the loop
> + * unblocks the remaining task_works.
> */
> - wait_for_completion(&shared_ctx.all_prepared);
> + break;
> }
> }
> } while (found_more_threads &&
> !atomic_read(&shared_ctx.preparation_error));
>
> /*
> - * We now have all sibling threads blocking and in "prepared" state in the
> - * task work. Ask all threads to commit.
> + * We now have either (a) all sibling threads blocking and in
> + * "prepared" state in the task work, or (b) the preparation error is
> + * set. Ask all threads to commit (or abort).
> */
> complete_all(&shared_ctx.ready_to_commit);
>
> --
> 2.51.0
>
Reviewed-by: Günther Noack <gnoack3000@gmail.com>
^ permalink raw reply
* Re: [PATCH] ima: Add digest_size field to ima_algo_desc structure and use to show meas.
From: Roberto Sassu @ 2026-02-26 9:00 UTC (permalink / raw)
To: Mimi Zohar, dmitry.kasatkin, eric.snowberg, paul, jmorris, serge
Cc: linux-integrity, linux-security-module, linux-kernel,
devnull+dima.arista.com, Roberto Sassu
In-Reply-To: <55905382b88f00de0d7a82aff0605b6d0d9a1e8c.camel@linux.ibm.com>
On Wed, 2026-02-25 at 13:37 -0500, Mimi Zohar wrote:
> On Wed, 2026-02-25 at 13:53 +0100, Roberto Sassu wrote:
> > From: Roberto Sassu <roberto.sassu@huawei.com>
> >
> > Add the digest_size field to the ima_algo_desc structure to determine the
> > digest size from the correct source.
> >
> > If the hash algorithm is among allocated PCR banks, take the value from the
> > TPM bank info; if the hash algorithm is SHA1, use the predefined value; if
> > the hash algorithm is the default one but not among the PCR banks, take the
> > digest size from the crypto subsystem (the default hash algorithm is
> > checked when parsing the ima_hash= command line option).
> >
> > Finally, use the new information to correctly show the template digest in
> > ima_measurements_show() and ima_ascii_measurements_show().
> >
> > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
>
> Thanks, Roberto. The patch looks fine, other than the patch title. Could it be
> renamed as "ima: define and use a digest_size field in the ima_algo_desc
> structure"?
Sure, will do this and add a comment about the TPM digest size.
Thanks
Roberto
^ permalink raw reply
* Re: [PATCH v5] ima_fs: Avoid creating measurement lists for unsupported hash algos
From: Roberto Sassu @ 2026-02-26 9:05 UTC (permalink / raw)
To: Mimi Zohar, dima, Roberto Sassu, Dmitry Kasatkin, Eric Snowberg,
Paul Moore, James Morris, Serge E. Hallyn, Silvia Sisinni,
Enrico Bravi
Cc: Jonathan McDowell, linux-integrity, linux-security-module,
linux-kernel, stable, Dmitry Safonov
In-Reply-To: <6808b1a8fcb014e6c7c18241d39155f5c12edc31.camel@linux.ibm.com>
On Wed, 2026-02-25 at 15:36 -0500, Mimi Zohar wrote:
> On Mon, 2026-02-23 at 14:56 +0000, Dmitry Safonov via B4 Relay wrote:
> > From: Dmitry Safonov <dima@arista.com>
> >
> > ima_tpm_chip->allocated_banks[i].crypto_id is initialized to
> > HASH_ALGO__LAST if the TPM algorithm is not supported. However there
> > are places relying on the algorithm to be valid because it is accessed
> > by hash_algo_name[].
>
> If the TPM algorithm is not supported by whom? the kernel? HASH_ALGO__LAST is
> defined in linux/hash_info.h. If the crypto algorithm is not supported by the
> kernel, then the kernel won't be able to calculate the hash to extend the TPM.
Yes, by the kernel. True, that is why we do a padded SHA1.
> > @@ -404,16 +398,24 @@ static int __init create_securityfs_measurement_lists(void)
> > char file_name[NAME_MAX + 1];
> > struct dentry *dentry;
> >
> > - sprintf(file_name, "ascii_runtime_measurements_%s",
> > - hash_algo_name[algo]);
> > + if (algo == HASH_ALGO__LAST)
> > + sprintf(file_name, "ascii_runtime_measurements_tpm_alg_%x",
> > + ima_tpm_chip->allocated_banks[i].alg_id);
> > + else
> > + sprintf(file_name, "ascii_runtime_measurements_%s",
> > + hash_algo_name[algo]);
> > dentry = securityfs_create_file(file_name, S_IRUSR | S_IRGRP,
> > ima_dir, (void *)(uintptr_t)i,
> > &ima_ascii_measurements_ops);
> > if (IS_ERR(dentry))
> > return PTR_ERR(dentry);
> >
> > - sprintf(file_name, "binary_runtime_measurements_%s",
> > - hash_algo_name[algo]);
> > + if (algo == HASH_ALGO__LAST)
> > + sprintf(file_name, "binary_runtime_measurements_tpm_alg_%x",
> > + ima_tpm_chip->allocated_banks[i].alg_id);
>
> There's no point in creating either of the securityfs files if the kernel
> doesn't support the hash algorithm.
It is not useful per se, but since it is an information that it is
produced and maintained by IMA, we can print it. And second, it will
expose the fact that there is an unsupported algorithm (in the case of
SHA3-256, the fix is add to the TPM - crypto subsystem mapping in tpm2-
cmd.c).
Roberto
> Mimi
>
>
> > + else
> > + sprintf(file_name, "binary_runtime_measurements_%s",
> > + hash_algo_name[algo]);
> > dentry = securityfs_create_file(file_name, S_IRUSR | S_IRGRP,
> > ima_dir, (void *)(uintptr_t)i,
> > &ima_measurements_ops);
>
>
^ permalink raw reply
* Re: [PATCH 1/3] integrity: Make arch_ima_get_secureboot integrity-wide
From: Ard Biesheuvel @ 2026-02-26 10:23 UTC (permalink / raw)
To: Mimi Zohar
Cc: Coiby Xu, Dave Hansen, linux-integrity, Heiko Carstens,
Roberto Sassu, Catalin Marinas, Will Deacon, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Christophe Leroy (CS GROUP),
Vasily Gorbik, Alexander Gordeev, Christian Borntraeger,
Sven Schnelle, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
Dave Hansen, maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT),
H . Peter Anvin, Roberto Sassu, Dmitry Kasatkin, Eric Snowberg,
Paul Moore, James Morris, Serge E. Hallyn, Jarkko Sakkinen,
moderated list:ARM64 PORT (AARCH64 ARCHITECTURE), open list,
open list:LINUX FOR POWERPC (32-BIT AND 64-BIT),
open list:S390 ARCHITECTURE,
open list:EXTENSIBLE FIRMWARE INTERFACE (EFI),
open list:SECURITY SUBSYSTEM, open list:KEYS/KEYRINGS_INTEGRITY
In-Reply-To: <ad471c33eeb9e21c49ac81032dc64555a2fb816f.camel@linux.ibm.com>
On Wed, 25 Feb 2026, at 01:03, Mimi Zohar wrote:
> On Wed, 2026-01-21 at 17:25 +0100, Ard Biesheuvel wrote:
>> On Wed, 21 Jan 2026 at 16:41, Mimi Zohar <zohar@linux.ibm.com> wrote:
>> >
>> > On Mon, 2026-01-19 at 12:04 +0800, Coiby Xu wrote:
>> >
>> > > diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
>> > > index 976e75f9b9ba..5dce572192d6 100644
>> > > --- a/security/integrity/ima/Kconfig
>> > > +++ b/security/integrity/ima/Kconfig
>> > > @@ -311,6 +311,7 @@ config IMA_QUEUE_EARLY_BOOT_KEYS
>> > > config IMA_SECURE_AND_OR_TRUSTED_BOOT
>> > > bool
>> > > depends on IMA_ARCH_POLICY
>> > > + depends on INTEGRITY_SECURE_BOOT
>> > >
>> > >
>> > > Another idea is make a tree-wide arch_get_secureboot i.e. to move
>> > > current arch_ima_get_secureboot code to arch-specific secure boot
>> > > implementation. By this way, there will no need for a new Kconfig option
>> > > INTEGRITY_SECURE_BOOT. But I'm not sure if there is any unforeseen
>> > > concern.
>> >
>> > Originally basing IMA policy on the secure boot mode was an exception. As long
>> > as making it public isn't an issue any longer, this sounds to me. Ard, Dave, do
>> > you have any issues with replacing arch_ima_get_secureboot() with
>> > arch_get_secureboot()?
>>
>> I don't see an issue with that. If there is a legitimate need to
>> determine this even if IMA is not enabled, then this makes sense.
>
> Ard, Dave -
>
> FYI, Coiby posted v3 of this patch set[1], which is queued in the next-
> integrity-testing branch[2].
>
> [1]
> https://lore.kernel.org/linux-integrity/20260213012851.2532722-1-coxu@redhat.com/
>
> [2] https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git/
>
Ack. Looks fine to me.
^ permalink raw reply
* Re: [PATCH 0/2] fanotify: avid some premature LSM checks
From: Jan Kara @ 2026-02-26 14:19 UTC (permalink / raw)
To: Ondrej Mosnacek
Cc: Jan Kara, Amir Goldstein, Matthew Bobrowski, linux-fsdevel,
linux-security-module, selinux, linux-kernel
In-Reply-To: <yk2qcux2ee7afr24xw6p7wp4t3islu64ttfsrheac2zwr6odnw@kmagnqbldb3f>
On Tue 17-02-26 12:09:34, Jan Kara wrote:
> On Mon 16-02-26 16:06:23, Ondrej Mosnacek wrote:
> > Restructure some of the validity and security checks in
> > fs/notify/fanotify/fanotify_user.c to avoid generating LSM access
> > denials in the audit log where hey shouldn't be.
> >
> > Ondrej Mosnacek (2):
> > fanotify: avoid/silence premature LSM capability checks
> > fanotify: call fanotify_events_supported() before path_permission()
> > and security_path_notify()
> >
> > fs/notify/fanotify/fanotify_user.c | 50 ++++++++++++++----------------
> > 1 file changed, 23 insertions(+), 27 deletions(-)
>
> The series looks good to me as well. Thanks! I'll commit the series to my
> tree once the merge window closes and fixup the comment formatting on
> commit. No need to resend.
Pushed the series to my tree now.
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply
* [PATCH 00/61] vfs: change inode->i_ino from unsigned long to u64
From: Jeff Layton @ 2026-02-26 15:55 UTC (permalink / raw)
To: Alexander Viro, Christian Brauner, Jan Kara, Steven Rostedt,
Masami Hiramatsu, Mathieu Desnoyers, Dan Williams, Matthew Wilcox,
Eric Biggers, Theodore Y. Ts'o, Muchun Song, Oscar Salvador,
David Hildenbrand, David Howells, Paulo Alcantara, Andreas Dilger,
Jan Kara, Jaegeuk Kim, Chao Yu, Trond Myklebust, Anna Schumaker,
Chuck Lever, NeilBrown, Olga Kornievskaia, Dai Ngo, Tom Talpey,
Steve French, Ronnie Sahlberg, Shyam Prasad N, Bharath SM,
Alexander Aring, Ryusuke Konishi, Viacheslav Dubeyko,
Eric Van Hensbergen, Latchesar Ionkov, Dominique Martinet,
Christian Schoenebeck, David Sterba, Marc Dionne, Ian Kent,
Luis de Bethencourt, Salah Triki, Tigran A. Aivazian,
Ilya Dryomov, Alex Markuze, Jan Harkes, coda, Nicolas Pitre,
Tyler Hicks, Amir Goldstein, Christoph Hellwig,
John Paul Adrian Glaubitz, Yangtao Li, Mikulas Patocka,
David Woodhouse, Richard Weinberger, Dave Kleikamp,
Konstantin Komarov, Mark Fasheh, Joel Becker, Joseph Qi,
Mike Marshall, Martin Brandenburg, Miklos Szeredi, Anders Larsen,
Zhihao Cheng, Damien Le Moal, Naohiro Aota, Johannes Thumshirn,
John Johansen, Paul Moore, James Morris, Serge E. Hallyn,
Mimi Zohar, Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Fan Wu,
Stephen Smalley, Ondrej Mosnacek, Casey Schaufler, Alex Deucher,
Christian König, David Airlie, Simona Vetter, Sumit Semwal,
Eric Dumazet, Kuniyuki Iwashima, Paolo Abeni, Willem de Bruijn,
David S. Miller, Jakub Kicinski, Simon Horman, Oleg Nesterov,
Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo,
Namhyung Kim, Mark Rutland, Alexander Shishkin, Jiri Olsa,
Ian Rogers, Adrian Hunter, James Clark, Darrick J. Wong,
Martin Schiller
Cc: linux-fsdevel, linux-kernel, linux-trace-kernel, nvdimm, fsverity,
linux-mm, netfs, linux-ext4, linux-f2fs-devel, linux-nfs,
linux-cifs, samba-technical, linux-nilfs, v9fs, linux-afs, autofs,
ceph-devel, codalist, ecryptfs, linux-mtd, jfs-discussion, ntfs3,
ocfs2-devel, devel, linux-unionfs, apparmor,
linux-security-module, linux-integrity, selinux, amd-gfx,
dri-devel, linux-media, linaro-mm-sig, netdev, linux-perf-users,
linux-fscrypt, linux-xfs, linux-hams, linux-x25, Jeff Layton
Christian said [1] to "just do it" when I proposed this, so here we are!
For historical reasons, the inode->i_ino field is an unsigned long,
which means that it's 32 bits on 32 bit architectures. This has caused a
number of filesystems to implement hacks to hash a 64-bit identifier
into a 32-bit field, and deprives us of a universal identifier field for
an inode.
This patchset changes the inode->i_ino field from an unsigned long to a
u64. This shouldn't make any material difference on 64-bit hosts, but
32-bit hosts will see struct inode grow by at least 4 bytes. This could
have effects on slabcache sizes and field alignment.
The bulk of the changes are to format strings and tracepoints, since the
kernel itself doesn't care that much about the i_ino field. The first
patch changes some vfs function arguments, so check that one out
carefully.
With this change, we may be able to shrink some inode structures. For
instance, struct nfs_inode has a fileid field that holds the 64-bit
inode number. With this set of changes, that field could be eliminated.
I'd rather leave that sort of cleanups for later just to keep this
simple.
Much of this set was generated by LLM, but I attributed it to myself
since I consider this to be in the "menial tasks" category of LLM usage.
[1]: https://lore.kernel.org/linux-fsdevel/20260219-portrait-winkt-959070cee42f@brauner/
Signed-off-by: Jeff Layton <jlayton@kernel.org>
---
Jeff Layton (61):
vfs: widen inode hash/lookup functions to u64
vfs: change i_ino from unsigned long to u64
trace: update VFS-layer trace events for u64 i_ino
ext4: update for u64 i_ino
jbd2: update format strings for u64 i_ino
f2fs: update for u64 i_ino
lockd: update format strings for u64 i_ino
nfs: update for u64 i_ino
nfs: remove nfs_fattr_to_ino_t() and nfs_fileid_to_ino_t()
nfs: remove nfs_compat_user_ino64()
nfs: remove enable_ino64 module parameter
nfsd: update format strings for u64 i_ino
smb: store full 64-bit uniqueid in i_ino
smb: remove cifs_uniqueid_to_ino_t()
locks: update /proc/locks format for u64 i_ino
proc: update /proc/PID/maps for u64 i_ino
nilfs2: update for u64 i_ino
9p: update format strings for u64 i_ino
affs: update format strings for u64 i_ino
afs: update format strings for u64 i_ino
autofs: update format strings for u64 i_ino
befs: update format strings for u64 i_ino
bfs: update format strings for u64 i_ino
cachefiles: update format strings for u64 i_ino
ceph: update format strings for u64 i_ino
coda: update format strings for u64 i_ino
cramfs: update format strings for u64 i_ino
ecryptfs: update format strings for u64 i_ino
efs: update format strings for u64 i_ino
exportfs: update format strings for u64 i_ino
ext2: update format strings for u64 i_ino
freevxfs: update format strings for u64 i_ino
hfs: update format strings for u64 i_ino
hfsplus: update format strings for u64 i_ino
hpfs: update format strings for u64 i_ino
isofs: update format strings for u64 i_ino
jffs2: update format strings for u64 i_ino
jfs: update format strings for u64 i_ino
minix: update format strings for u64 i_ino
nsfs: update format strings for u64 i_ino
ntfs3: update format strings for u64 i_ino
ocfs2: update format strings for u64 i_ino
orangefs: update format strings for u64 i_ino
overlayfs: update format strings for u64 i_ino
qnx4: update format strings for u64 i_ino
qnx6: update format strings for u64 i_ino
ubifs: update format strings for u64 i_ino
udf: update format strings for u64 i_ino
ufs: update format strings for u64 i_ino
zonefs: update format strings for u64 i_ino
security: update audit format strings for u64 i_ino
drm/amdgpu: update for u64 i_ino
fsnotify: update fdinfo format strings for u64 i_ino
net: update socket dname format for u64 i_ino
uprobes: update format strings for u64 i_ino
dma-buf: update format string for u64 i_ino
fscrypt: update format strings for u64 i_ino
fsverity: update format string for u64 i_ino
iomap: update format string for u64 i_ino
net: update legacy protocol format strings for u64 i_ino
vfs: update core format strings for u64 i_ino
drivers/dma-buf/dma-buf.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 4 +-
fs/9p/vfs_addr.c | 4 +-
fs/9p/vfs_inode.c | 6 +-
fs/9p/vfs_inode_dotl.c | 6 +-
fs/affs/amigaffs.c | 8 +-
fs/affs/bitmap.c | 2 +-
fs/affs/dir.c | 2 +-
fs/affs/file.c | 20 +-
fs/affs/inode.c | 12 +-
fs/affs/namei.c | 14 +-
fs/affs/symlink.c | 2 +-
fs/afs/dir.c | 10 +-
fs/afs/dir_search.c | 2 +-
fs/afs/dynroot.c | 2 +-
fs/afs/inode.c | 2 +-
fs/autofs/inode.c | 2 +-
fs/befs/linuxvfs.c | 28 +-
fs/bfs/dir.c | 4 +-
fs/cachefiles/io.c | 6 +-
fs/cachefiles/namei.c | 12 +-
fs/cachefiles/xattr.c | 2 +-
fs/ceph/crypto.c | 4 +-
fs/coda/dir.c | 2 +-
fs/coda/inode.c | 2 +-
fs/cramfs/inode.c | 2 +-
fs/crypto/crypto.c | 2 +-
fs/crypto/hooks.c | 2 +-
fs/crypto/keysetup.c | 2 +-
fs/dcache.c | 4 +-
fs/ecryptfs/crypto.c | 6 +-
fs/ecryptfs/file.c | 2 +-
fs/efs/inode.c | 6 +-
fs/eventpoll.c | 2 +-
fs/exportfs/expfs.c | 4 +-
fs/ext2/dir.c | 10 +-
fs/ext2/ialloc.c | 9 +-
fs/ext2/inode.c | 2 +-
fs/ext2/xattr.c | 14 +-
fs/ext4/dir.c | 2 +-
fs/ext4/ext4.h | 4 +-
fs/ext4/extents.c | 8 +-
fs/ext4/extents_status.c | 28 +-
fs/ext4/fast_commit.c | 8 +-
fs/ext4/ialloc.c | 10 +-
fs/ext4/indirect.c | 2 +-
fs/ext4/inline.c | 14 +-
fs/ext4/inode.c | 22 +-
fs/ext4/ioctl.c | 4 +-
fs/ext4/mballoc.c | 6 +-
fs/ext4/migrate.c | 2 +-
fs/ext4/move_extent.c | 20 +-
fs/ext4/namei.c | 10 +-
fs/ext4/orphan.c | 16 +-
fs/ext4/page-io.c | 10 +-
fs/ext4/super.c | 22 +-
fs/ext4/xattr.c | 10 +-
fs/f2fs/compress.c | 4 +-
fs/f2fs/dir.c | 2 +-
fs/f2fs/extent_cache.c | 8 +-
fs/f2fs/f2fs.h | 6 +-
fs/f2fs/file.c | 12 +-
fs/f2fs/gc.c | 2 +-
fs/f2fs/inline.c | 4 +-
fs/f2fs/inode.c | 48 ++--
fs/f2fs/namei.c | 8 +-
fs/f2fs/node.c | 12 +-
fs/f2fs/recovery.c | 10 +-
fs/f2fs/xattr.c | 10 +-
fs/freevxfs/vxfs_bmap.c | 4 +-
fs/fserror.c | 2 +-
fs/hfs/catalog.c | 2 +-
fs/hfs/extent.c | 4 +-
fs/hfs/inode.c | 4 +-
fs/hfsplus/attributes.c | 10 +-
fs/hfsplus/catalog.c | 2 +-
fs/hfsplus/dir.c | 6 +-
fs/hfsplus/extents.c | 6 +-
fs/hfsplus/inode.c | 8 +-
fs/hfsplus/super.c | 6 +-
fs/hfsplus/xattr.c | 10 +-
fs/hpfs/dir.c | 4 +-
fs/hpfs/dnode.c | 4 +-
fs/hpfs/ea.c | 4 +-
fs/hpfs/inode.c | 4 +-
fs/inode.c | 46 ++--
fs/iomap/ioend.c | 2 +-
fs/isofs/compress.c | 2 +-
fs/isofs/dir.c | 2 +-
fs/isofs/inode.c | 6 +-
fs/isofs/namei.c | 2 +-
fs/jbd2/journal.c | 4 +-
fs/jbd2/transaction.c | 2 +-
fs/jffs2/dir.c | 4 +-
fs/jffs2/file.c | 4 +-
fs/jffs2/fs.c | 18 +-
fs/jfs/inode.c | 2 +-
fs/jfs/jfs_imap.c | 2 +-
fs/jfs/jfs_metapage.c | 2 +-
fs/lockd/svclock.c | 8 +-
fs/lockd/svcsubs.c | 2 +-
fs/locks.c | 6 +-
fs/minix/inode.c | 10 +-
fs/nfs/dir.c | 22 +-
fs/nfs/file.c | 8 +-
fs/nfs/filelayout/filelayout.c | 8 +-
fs/nfs/flexfilelayout/flexfilelayout.c | 8 +-
fs/nfs/inode.c | 54 +---
fs/nfs/nfs4proc.c | 4 +-
fs/nfs/pnfs.c | 12 +-
fs/nfsd/export.c | 2 +-
fs/nfsd/nfs4state.c | 4 +-
fs/nfsd/nfsfh.c | 4 +-
fs/nfsd/vfs.c | 2 +-
fs/nilfs2/alloc.c | 10 +-
fs/nilfs2/bmap.c | 2 +-
fs/nilfs2/btnode.c | 2 +-
fs/nilfs2/btree.c | 12 +-
fs/nilfs2/dir.c | 12 +-
fs/nilfs2/direct.c | 4 +-
fs/nilfs2/gcinode.c | 2 +-
fs/nilfs2/inode.c | 8 +-
fs/nilfs2/mdt.c | 2 +-
fs/nilfs2/namei.c | 2 +-
fs/nilfs2/segment.c | 2 +-
fs/notify/fdinfo.c | 4 +-
fs/nsfs.c | 4 +-
fs/ntfs3/super.c | 2 +-
fs/ocfs2/alloc.c | 2 +-
fs/ocfs2/aops.c | 4 +-
fs/ocfs2/dir.c | 8 +-
fs/ocfs2/dlmfs/dlmfs.c | 10 +-
fs/ocfs2/extent_map.c | 12 +-
fs/ocfs2/inode.c | 2 +-
fs/ocfs2/quota_local.c | 2 +-
fs/ocfs2/refcounttree.c | 10 +-
fs/ocfs2/xattr.c | 4 +-
fs/orangefs/inode.c | 2 +-
fs/overlayfs/export.c | 2 +-
fs/overlayfs/namei.c | 4 +-
fs/overlayfs/util.c | 2 +-
fs/pipe.c | 2 +-
fs/proc/fd.c | 2 +-
fs/proc/task_mmu.c | 4 +-
fs/qnx4/inode.c | 4 +-
fs/qnx6/inode.c | 2 +-
fs/smb/client/cifsfs.h | 17 --
fs/smb/client/inode.c | 6 +-
fs/smb/client/readdir.c | 2 +-
fs/ubifs/debug.c | 8 +-
fs/ubifs/dir.c | 28 +-
fs/ubifs/file.c | 28 +-
fs/ubifs/journal.c | 6 +-
fs/ubifs/super.c | 16 +-
fs/ubifs/tnc.c | 4 +-
fs/ubifs/xattr.c | 14 +-
fs/udf/directory.c | 18 +-
fs/udf/file.c | 2 +-
fs/udf/inode.c | 12 +-
fs/udf/namei.c | 8 +-
fs/udf/super.c | 2 +-
fs/ufs/balloc.c | 6 +-
fs/ufs/dir.c | 10 +-
fs/ufs/ialloc.c | 6 +-
fs/ufs/inode.c | 18 +-
fs/ufs/ufs_fs.h | 6 +-
fs/ufs/util.c | 2 +-
fs/verity/init.c | 2 +-
fs/zonefs/super.c | 8 +-
include/linux/fs.h | 28 +-
include/linux/nfs_fs.h | 10 -
include/trace/events/cachefiles.h | 18 +-
include/trace/events/ext4.h | 427 +++++++++++++++--------------
include/trace/events/f2fs.h | 172 ++++++------
include/trace/events/filelock.h | 16 +-
include/trace/events/filemap.h | 20 +-
include/trace/events/fs_dax.h | 20 +-
include/trace/events/fsverity.h | 30 +-
include/trace/events/hugetlbfs.h | 28 +-
include/trace/events/netfs.h | 4 +-
include/trace/events/nilfs2.h | 12 +-
include/trace/events/readahead.h | 12 +-
include/trace/events/timestamp.h | 12 +-
include/trace/events/writeback.h | 148 +++++-----
kernel/events/uprobes.c | 4 +-
net/netrom/af_netrom.c | 4 +-
net/rose/af_rose.c | 4 +-
net/socket.c | 2 +-
net/x25/x25_proc.c | 4 +-
security/apparmor/apparmorfs.c | 4 +-
security/integrity/integrity_audit.c | 2 +-
security/ipe/audit.c | 2 +-
security/lsm_audit.c | 10 +-
security/selinux/hooks.c | 4 +-
security/smack/smack_lsm.c | 12 +-
195 files changed, 1101 insertions(+), 1166 deletions(-)
---
base-commit: 2bf35e96cf6c6c3a290b69b777d34be15888e364
change-id: 20260224-iino-u64-b44a3a72543c
Best regards,
--
Jeff Layton <jlayton@kernel.org>
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox