[RFC PATCH] security: add an interface to lookup the lockdown reason

Paul Moore <paul@xxxxxxxxxxxxxx> · Mon, 09 Dec 2019 21:28:50 -0500

With CONFIG_AUDIT enabled but CONFIG_SECURITY disabled we run into
a problem where the lockdown reason table is missing.  This patch
attempts to fix this by hiding the table behind a lookup function.

Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
---
 include/linux/security.h |    7 +++++++
 security/lsm_audit.c     |   12 +++++++++---
 security/security.c      |    5 +++++
 3 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index 64b19f050343..295509a809d6 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -447,6 +447,8 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
 int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
 int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
 int security_locked_down(enum lockdown_reason what);
+const char *security_locked_reasonstr(enum lockdown_reason what);
+
 #else /* CONFIG_SECURITY */
 
 static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
@@ -1274,6 +1276,11 @@ static inline int security_locked_down(enum lockdown_reason what)
 {
 	return 0;
 }
+
+static inline const char *security_locked_reasonstr(enum lockdown_reason what)
+{
+	return NULL;
+}
 #endif	/* CONFIG_SECURITY */
 
 #ifdef CONFIG_SECURITY_NETWORK
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 2d2bf49016f4..519ef6046638 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -426,10 +426,16 @@ static void dump_common_audit_data(struct audit_buffer *ab,
 				 a->u.ibendport->dev_name,
 				 a->u.ibendport->port);
 		break;
-	case LSM_AUDIT_DATA_LOCKDOWN:
-		audit_log_format(ab, " lockdown_reason=");
-		audit_log_string(ab, lockdown_reasons[a->u.reason]);
+	case LSM_AUDIT_DATA_LOCKDOWN: {
+		const char *str = security_locked_reasonstr(a->u.reason);
+
+		if (str) {
+			audit_log_format(ab, " lockdown_reason=");
+			audit_log_string(ab, str);
+		} else
+			audit_log_format(ab, " lockdown_reason=?");
 		break;
+	}
 	} /* switch (a->type) */
 }
 
diff --git a/security/security.c b/security/security.c
index 2b5473d92416..2f228fdbebf5 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2438,6 +2438,11 @@ int security_locked_down(enum lockdown_reason what)
 }
 EXPORT_SYMBOL(security_locked_down);
 
+const char *security_locked_reasonstr(enum lockdown_reason what)
+{
+	return lockdown_reasons[what];
+}
+
 #ifdef CONFIG_PERF_EVENTS
 int security_perf_event_open(struct perf_event_attr *attr, int type)
 {







