On 9/18/2023 2:24 PM, KP Singh wrote: > These macros are a clever trick to determine a count of the number of > LSMs that are enabled in the config to ascertain the maximum number of > static calls that need to be configured per LSM hook. > > Without this one would need to generate static calls for (number of > possible LSMs * number of LSM hooks) which ends up being quite wasteful > especially when some LSMs are not compiled into the kernel. > > Suggested-by: Kui-Feng Lee <sinquersw@xxxxxxxxx> > Suggested-by: Andrii Nakryiko <andrii@xxxxxxxxxx > Signed-off-by: KP Singh <kpsingh@xxxxxxxxxx> Much better than previous versions. Reviewed-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx> > --- > include/linux/lsm_count.h | 106 ++++++++++++++++++++++++++++++++++++++ > 1 file changed, 106 insertions(+) > create mode 100644 include/linux/lsm_count.h > > diff --git a/include/linux/lsm_count.h b/include/linux/lsm_count.h > new file mode 100644 > index 000000000000..0c0ff3c7dddc > --- /dev/null > +++ b/include/linux/lsm_count.h > @@ -0,0 +1,106 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > + > +/* > + * Copyright (C) 2023 Google LLC. > + */ > + > +#ifndef __LINUX_LSM_COUNT_H > +#define __LINUX_LSM_COUNT_H > + > +#include <linux/kconfig.h> > + > +#ifdef CONFIG_SECURITY > + > +/* > + * Macros to count the number of LSMs enabled in the kernel at compile time. > + */ > + > +/* > + * Capabilities is enabled when CONFIG_SECURITY is enabled. > + */ > +#if IS_ENABLED(CONFIG_SECURITY) > +#define CAPABILITIES_ENABLED 1, > +#else > +#define CAPABILITIES_ENABLED > +#endif > + > +#if IS_ENABLED(CONFIG_SECURITY_SELINUX) > +#define SELINUX_ENABLED 1, > +#else > +#define SELINUX_ENABLED > +#endif > + > +#if IS_ENABLED(CONFIG_SECURITY_SMACK) > +#define SMACK_ENABLED 1, > +#else > +#define SMACK_ENABLED > +#endif > + > +#if IS_ENABLED(CONFIG_SECURITY_APPARMOR) > +#define APPARMOR_ENABLED 1, > +#else > +#define APPARMOR_ENABLED > +#endif > + > +#if IS_ENABLED(CONFIG_SECURITY_TOMOYO) > +#define TOMOYO_ENABLED 1, > +#else > +#define TOMOYO_ENABLED > +#endif > + > +#if IS_ENABLED(CONFIG_SECURITY_YAMA) > +#define YAMA_ENABLED 1, > +#else > +#define YAMA_ENABLED > +#endif > + > +#if IS_ENABLED(CONFIG_SECURITY_LOADPIN) > +#define LOADPIN_ENABLED 1, > +#else > +#define LOADPIN_ENABLED > +#endif > + > +#if IS_ENABLED(CONFIG_SECURITY_LOCKDOWN_LSM) > +#define LOCKDOWN_ENABLED 1, > +#else > +#define LOCKDOWN_ENABLED > +#endif > + > +#if IS_ENABLED(CONFIG_BPF_LSM) > +#define BPF_LSM_ENABLED 1, > +#else > +#define BPF_LSM_ENABLED > +#endif > + > +#if IS_ENABLED(CONFIG_SECURITY_LANDLOCK) > +#define LANDLOCK_ENABLED 1, > +#else > +#define LANDLOCK_ENABLED > +#endif > + > + > +#define __COUNT_COMMAS(_0, _1, _2, _3, _4, _5, _6, _7, _8, _9, _10, _11, _12, _n, X...) _n > +#define COUNT_COMMAS(a, X...) __COUNT_COMMAS(, ##X, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0) > +#define ___COUNT_COMMAS(args...) COUNT_COMMAS(args) > + > + > +#define MAX_LSM_COUNT \ > + ___COUNT_COMMAS( \ > + CAPABILITIES_ENABLED \ > + SELINUX_ENABLED \ > + SMACK_ENABLED \ > + APPARMOR_ENABLED \ > + TOMOYO_ENABLED \ > + YAMA_ENABLED \ > + LOADPIN_ENABLED \ > + LOCKDOWN_ENABLED \ > + BPF_LSM_ENABLED \ > + LANDLOCK_ENABLED) > + > +#else > + > +#define MAX_LSM_COUNT 0 > + > +#endif /* CONFIG_SECURITY */ > + > +#endif /* __LINUX_LSM_COUNT_H */
