lsm: consolidate lsm_allowed() and prepare_lsm() into lsm_prepare()

Simplify and consolidate the lsm_allowed() and prepare_lsm() functions
into a new function, lsm_prepare().

Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: John Johansen <john.johhansen@canonical.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/security/lsm_init.c b/security/lsm_init.c
index 124213b906af205f5338ebbf66002c59d1f81690..6f40ab1d2f54b3d956633776a8e9e00eb1ecb0e0 100644 (file)
--- a/security/lsm_init.c
+++ b/security/lsm_init.c
@@ -123,22 +123,6 @@ static void __init append_ordered_lsm(struct lsm_info *lsm, const char *from)
                   is_enabled(lsm) ? "enabled" : "disabled");
 }
 
-/* Is an LSM allowed to be initialized? */
-static bool __init lsm_allowed(struct lsm_info *lsm)
-{
-       /* Skip if the LSM is disabled. */
-       if (!is_enabled(lsm))
-               return false;
-
-       /* Not allowed if another exclusive LSM already initialized. */
-       if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && exclusive) {
-               init_debug("exclusive disabled: %s\n", lsm->name);
-               return false;
-       }
-
-       return true;
-}
-
 static void __init lsm_set_blob_size(int *need, int *lbs)
 {
        int offset;
@@ -151,54 +135,53 @@ static void __init lsm_set_blob_size(int *need, int *lbs)
        *need = offset;
 }
 
-static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed)
+/**
+ * lsm_prepare - Prepare the LSM framework for a new LSM
+ * @lsm: LSM definition
+ */
+static void __init lsm_prepare(struct lsm_info *lsm)
 {
-       if (!needed)
+       struct lsm_blob_sizes *blobs;
+
+       if (!is_enabled(lsm)) {
+               set_enabled(lsm, false);
                return;
+       } else if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && exclusive) {
+               init_debug("exclusive disabled: %s\n", lsm->name);
+               set_enabled(lsm, false);
+               return;
+       }
 
-       lsm_set_blob_size(&needed->lbs_cred, &blob_sizes.lbs_cred);
-       lsm_set_blob_size(&needed->lbs_file, &blob_sizes.lbs_file);
-       lsm_set_blob_size(&needed->lbs_ib, &blob_sizes.lbs_ib);
-       /*
-        * The inode blob gets an rcu_head in addition to
-        * what the modules might need.
-        */
-       if (needed->lbs_inode && blob_sizes.lbs_inode == 0)
+       /* Mark the LSM as enabled. */
+       set_enabled(lsm, true);
+       if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && !exclusive) {
+               init_debug("exclusive chosen:   %s\n", lsm->name);
+               exclusive = lsm;
+       }
+
+       /* Register the LSM blob sizes. */
+       blobs = lsm->blobs;
+       lsm_set_blob_size(&blobs->lbs_cred, &blob_sizes.lbs_cred);
+       lsm_set_blob_size(&blobs->lbs_file, &blob_sizes.lbs_file);
+       lsm_set_blob_size(&blobs->lbs_ib, &blob_sizes.lbs_ib);
+       /* inode blob gets an rcu_head in addition to LSM blobs. */
+       if (blobs->lbs_inode && blob_sizes.lbs_inode == 0)
                blob_sizes.lbs_inode = sizeof(struct rcu_head);
-       lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode);
-       lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc);
-       lsm_set_blob_size(&needed->lbs_key, &blob_sizes.lbs_key);
-       lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg);
-       lsm_set_blob_size(&needed->lbs_perf_event, &blob_sizes.lbs_perf_event);
-       lsm_set_blob_size(&needed->lbs_sock, &blob_sizes.lbs_sock);
-       lsm_set_blob_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock);
-       lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task);
-       lsm_set_blob_size(&needed->lbs_tun_dev, &blob_sizes.lbs_tun_dev);
-       lsm_set_blob_size(&needed->lbs_xattr_count,
+       lsm_set_blob_size(&blobs->lbs_inode, &blob_sizes.lbs_inode);
+       lsm_set_blob_size(&blobs->lbs_ipc, &blob_sizes.lbs_ipc);
+       lsm_set_blob_size(&blobs->lbs_key, &blob_sizes.lbs_key);
+       lsm_set_blob_size(&blobs->lbs_msg_msg, &blob_sizes.lbs_msg_msg);
+       lsm_set_blob_size(&blobs->lbs_perf_event, &blob_sizes.lbs_perf_event);
+       lsm_set_blob_size(&blobs->lbs_sock, &blob_sizes.lbs_sock);
+       lsm_set_blob_size(&blobs->lbs_superblock, &blob_sizes.lbs_superblock);
+       lsm_set_blob_size(&blobs->lbs_task, &blob_sizes.lbs_task);
+       lsm_set_blob_size(&blobs->lbs_tun_dev, &blob_sizes.lbs_tun_dev);
+       lsm_set_blob_size(&blobs->lbs_xattr_count,
                          &blob_sizes.lbs_xattr_count);
-       lsm_set_blob_size(&needed->lbs_bdev, &blob_sizes.lbs_bdev);
-       lsm_set_blob_size(&needed->lbs_bpf_map, &blob_sizes.lbs_bpf_map);
-       lsm_set_blob_size(&needed->lbs_bpf_prog, &blob_sizes.lbs_bpf_prog);
-       lsm_set_blob_size(&needed->lbs_bpf_token, &blob_sizes.lbs_bpf_token);
-}
-
-/* Prepare LSM for initialization. */
-static void __init prepare_lsm(struct lsm_info *lsm)
-{
-       int enabled = lsm_allowed(lsm);
-
-       /* Record enablement (to handle any following exclusive LSMs). */
-       set_enabled(lsm, enabled);
-
-       /* If enabled, do pre-initialization work. */
-       if (enabled) {
-               if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && !exclusive) {
-                       exclusive = lsm;
-                       init_debug("exclusive chosen:   %s\n", lsm->name);
-               }
-
-               lsm_set_blob_sizes(lsm->blobs);
-       }
+       lsm_set_blob_size(&blobs->lbs_bdev, &blob_sizes.lbs_bdev);
+       lsm_set_blob_size(&blobs->lbs_bpf_map, &blob_sizes.lbs_bpf_map);
+       lsm_set_blob_size(&blobs->lbs_bpf_prog, &blob_sizes.lbs_bpf_prog);
+       lsm_set_blob_size(&blobs->lbs_bpf_token, &blob_sizes.lbs_bpf_token);
 }
 
 /* Initialize a given LSM, if it is enabled. */
@@ -361,7 +344,7 @@ static void __init ordered_lsm_init(void)
                ordered_lsm_parse(builtin_lsm_order, "builtin");
 
        for (lsm = ordered_lsms; *lsm; lsm++)
-               prepare_lsm(*lsm);
+               lsm_prepare(*lsm);
 
        report_lsm_order();
 
@@ -505,7 +488,7 @@ int __init early_security_init(void)
        for (lsm = __start_early_lsm_info; lsm < __end_early_lsm_info; lsm++) {
                if (!lsm->enabled)
                        lsm->enabled = &lsm_enabled_true;
-               prepare_lsm(lsm);
+               lsm_prepare(lsm);
                initialize_lsm(lsm);
        }