Re: [PATCH v15 3/4] lsm: count the LSMs enabled at compile time

Paul Moore <paul@xxxxxxxxxxxxxx> · Thu, 22 Aug 2024 12:27:24 -0400

On Fri, Aug 16, 2024 at 11:43 AM KP Singh <kpsingh@xxxxxxxxxx> wrote:
>
> These macros are a clever trick to determine a count of the number of
> LSMs that are enabled in the config to ascertain the maximum number of
> static calls that need to be configured per LSM hook.
>
> Without this one would need to generate static calls for the total
> number of LSMs in the kernel (even if they are not compiled) times the
> number of LSM hooks which ends up being quite wasteful.
>
> Suggested-by: Kui-Feng Lee <sinquersw@xxxxxxxxx>
> Suggested-by: Andrii Nakryiko <andrii@xxxxxxxxxx>
> Acked-by: Song Liu <song@xxxxxxxxxx>
> Acked-by: Andrii Nakryiko <andrii@xxxxxxxxxx>
> Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
> Reviewed-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
> Signed-off-by: KP Singh <kpsingh@xxxxxxxxxx>
> Reviewed-by: John Johansen <john.johansen@xxxxxxxxxxxxx>
> [PM: subj tweaks]
> Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> ---
>  include/linux/args.h      |   6 +-
>  include/linux/lsm_count.h | 128 ++++++++++++++++++++++++++++++++++++++
>  2 files changed, 131 insertions(+), 3 deletions(-)
>  create mode 100644 include/linux/lsm_count.h

...

> diff --git a/include/linux/lsm_count.h b/include/linux/lsm_count.h
> new file mode 100644
> index 000000000000..73c7cc81349b
> --- /dev/null
> +++ b/include/linux/lsm_count.h
> @@ -0,0 +1,128 @@

...

> +/*
> + *  There is a trailing comma that we need to be accounted for. This is done by
> + *  using a skipped argument in __COUNT_LSMS
> + */
> +#define __COUNT_LSMS(skipped_arg, args...) COUNT_ARGS(args...)
> +#define COUNT_LSMS(args...) __COUNT_LSMS(args)
> +
> +#define MAX_LSM_COUNT                  \
> +       COUNT_LSMS(                     \
> +               CAPABILITIES_ENABLED    \
> +               SELINUX_ENABLED         \
> +               SMACK_ENABLED           \
> +               APPARMOR_ENABLED        \
> +               TOMOYO_ENABLED          \
> +               YAMA_ENABLED            \
> +               LOADPIN_ENABLED         \
> +               LOCKDOWN_ENABLED        \
> +               SAFESETID_ENABLED       \
> +               BPF_LSM_ENABLED         \
> +               LANDLOCK_ENABLED        \
> +               IMA_ENABLED             \
> +               EVM_ENABLED)

The above is missing an entry for IPE; I missed this during the merge,
thanks to Fan for pointing it out.  As the IPE patchset was merged
into the lsm/dev tree only a few hours before this patchset, that
isn't your fault, it's mine :)

Regardless, it should be fixed in lsm/dev now.

-- 
paul-moore.com