Skip to content

Commit d51e783

Browse files
KP Singhpcmoore
KP Singh
authored and
pcmoore
committed
lsm: count the LSMs enabled at compile time
These macros are a clever trick to determine a count of the number of LSMs that are enabled in the config to ascertain the maximum number of static calls that need to be configured per LSM hook. Without this one would need to generate static calls for the total number of LSMs in the kernel (even if they are not compiled) times the number of LSM hooks which ends up being quite wasteful. Tested-by: Guenter Roeck <[email protected]> Suggested-by: Kui-Feng Lee <[email protected]> Suggested-by: Andrii Nakryiko <[email protected]> Reviewed-by: Kees Cook <[email protected]> Reviewed-by: Casey Schaufler <[email protected]> Reviewed-by: John Johansen <[email protected]> Acked-by: Casey Schaufler <[email protected]> Acked-by: Song Liu <[email protected]> Acked-by: Andrii Nakryiko <[email protected]> Nacked-by: Tetsuo Handa <[email protected]> Signed-off-by: KP Singh <[email protected]> [PM: added IPE to the count during merge] Signed-off-by: Paul Moore <[email protected]>
1 parent 7cff549 commit d51e783

File tree

2 files changed

+138
-3
lines changed

2 files changed

+138
-3
lines changed

Diff for: include/linux/args.h

+3-3
Original file line numberDiff line numberDiff line change
@@ -17,9 +17,9 @@
1717
* that as _n.
1818
*/
1919

20-
/* This counts to 12. Any more, it will return 13th argument. */
21-
#define __COUNT_ARGS(_0, _1, _2, _3, _4, _5, _6, _7, _8, _9, _10, _11, _12, _n, X...) _n
22-
#define COUNT_ARGS(X...) __COUNT_ARGS(, ##X, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0)
20+
/* This counts to 15. Any more, it will return 16th argument. */
21+
#define __COUNT_ARGS(_0, _1, _2, _3, _4, _5, _6, _7, _8, _9, _10, _11, _12, _13, _14, _15, _n, X...) _n
22+
#define COUNT_ARGS(X...) __COUNT_ARGS(, ##X, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0)
2323

2424
/* Concatenate two parameters, but allow them to be expanded beforehand. */
2525
#define __CONCAT(a, b) a ## b

Diff for: include/linux/lsm_count.h

+135
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,135 @@
1+
/* SPDX-License-Identifier: GPL-2.0 */
2+
3+
/*
4+
* Copyright (C) 2023 Google LLC.
5+
*/
6+
7+
#ifndef __LINUX_LSM_COUNT_H
8+
#define __LINUX_LSM_COUNT_H
9+
10+
#include <linux/args.h>
11+
12+
#ifdef CONFIG_SECURITY
13+
14+
/*
15+
* Macros to count the number of LSMs enabled in the kernel at compile time.
16+
*/
17+
18+
/*
19+
* Capabilities is enabled when CONFIG_SECURITY is enabled.
20+
*/
21+
#if IS_ENABLED(CONFIG_SECURITY)
22+
#define CAPABILITIES_ENABLED 1,
23+
#else
24+
#define CAPABILITIES_ENABLED
25+
#endif
26+
27+
#if IS_ENABLED(CONFIG_SECURITY_SELINUX)
28+
#define SELINUX_ENABLED 1,
29+
#else
30+
#define SELINUX_ENABLED
31+
#endif
32+
33+
#if IS_ENABLED(CONFIG_SECURITY_SMACK)
34+
#define SMACK_ENABLED 1,
35+
#else
36+
#define SMACK_ENABLED
37+
#endif
38+
39+
#if IS_ENABLED(CONFIG_SECURITY_APPARMOR)
40+
#define APPARMOR_ENABLED 1,
41+
#else
42+
#define APPARMOR_ENABLED
43+
#endif
44+
45+
#if IS_ENABLED(CONFIG_SECURITY_TOMOYO)
46+
#define TOMOYO_ENABLED 1,
47+
#else
48+
#define TOMOYO_ENABLED
49+
#endif
50+
51+
#if IS_ENABLED(CONFIG_SECURITY_YAMA)
52+
#define YAMA_ENABLED 1,
53+
#else
54+
#define YAMA_ENABLED
55+
#endif
56+
57+
#if IS_ENABLED(CONFIG_SECURITY_LOADPIN)
58+
#define LOADPIN_ENABLED 1,
59+
#else
60+
#define LOADPIN_ENABLED
61+
#endif
62+
63+
#if IS_ENABLED(CONFIG_SECURITY_LOCKDOWN_LSM)
64+
#define LOCKDOWN_ENABLED 1,
65+
#else
66+
#define LOCKDOWN_ENABLED
67+
#endif
68+
69+
#if IS_ENABLED(CONFIG_SECURITY_SAFESETID)
70+
#define SAFESETID_ENABLED 1,
71+
#else
72+
#define SAFESETID_ENABLED
73+
#endif
74+
75+
#if IS_ENABLED(CONFIG_BPF_LSM)
76+
#define BPF_LSM_ENABLED 1,
77+
#else
78+
#define BPF_LSM_ENABLED
79+
#endif
80+
81+
#if IS_ENABLED(CONFIG_SECURITY_LANDLOCK)
82+
#define LANDLOCK_ENABLED 1,
83+
#else
84+
#define LANDLOCK_ENABLED
85+
#endif
86+
87+
#if IS_ENABLED(CONFIG_IMA)
88+
#define IMA_ENABLED 1,
89+
#else
90+
#define IMA_ENABLED
91+
#endif
92+
93+
#if IS_ENABLED(CONFIG_EVM)
94+
#define EVM_ENABLED 1,
95+
#else
96+
#define EVM_ENABLED
97+
#endif
98+
99+
#if IS_ENABLED(CONFIG_SECURITY_IPE)
100+
#define IPE_ENABLED 1,
101+
#else
102+
#define IPE_ENABLED
103+
#endif
104+
105+
/*
106+
* There is a trailing comma that we need to be accounted for. This is done by
107+
* using a skipped argument in __COUNT_LSMS
108+
*/
109+
#define __COUNT_LSMS(skipped_arg, args...) COUNT_ARGS(args...)
110+
#define COUNT_LSMS(args...) __COUNT_LSMS(args)
111+
112+
#define MAX_LSM_COUNT \
113+
COUNT_LSMS( \
114+
CAPABILITIES_ENABLED \
115+
SELINUX_ENABLED \
116+
SMACK_ENABLED \
117+
APPARMOR_ENABLED \
118+
TOMOYO_ENABLED \
119+
YAMA_ENABLED \
120+
LOADPIN_ENABLED \
121+
LOCKDOWN_ENABLED \
122+
SAFESETID_ENABLED \
123+
BPF_LSM_ENABLED \
124+
LANDLOCK_ENABLED \
125+
IMA_ENABLED \
126+
EVM_ENABLED \
127+
IPE_ENABLED)
128+
129+
#else
130+
131+
#define MAX_LSM_COUNT 0
132+
133+
#endif /* CONFIG_SECURITY */
134+
135+
#endif /* __LINUX_LSM_COUNT_H */

0 commit comments

Comments
 (0)