From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: Sascha Hauer <s.hauer@pengutronix.de>,
BAREBOX <barebox@lists.infradead.org>
Cc: Ahmad Fatoum <a.fatoum@barebox.org>
Subject: Re: [PATCH v2 04/24] Add security policy support
Date: Mon, 22 Sep 2025 18:14:36 +0200 [thread overview]
Message-ID: <3d2f3b6b-ff92-4244-bbb4-15657337f72d@pengutronix.de> (raw)
In-Reply-To: <20250917-security-policies-v2-4-f30769a3ff51@pengutronix.de>
On 17.09.25 15:53, Sascha Hauer wrote:
> +bool is_allowed(const struct security_policy *policy, unsigned option)
> +{
> + policy = policy ?: active_policy;
> +
> + if (WARN(option > SCONFIG_NUM))
> + return false;
> +
> + if (!policy && *CONFIG_SECURITY_POLICY_INIT) {
> + security_policy_select(CONFIG_SECURITY_POLICY_INIT);
> + policy = active_policy;
> + }
> +
> + if (policy) {
> + bool allow = __is_allowed(policy, option);
> +
> + policy_debug(policy, option, "%s for %pS\n",
> + allow ? "allowed" : "denied", (void *)_RET_IP_);
> +
> + return allow;
> + }
> +
> + if (IS_ENABLED(CONFIG_SECURITY_POLICY_DEFAULT_PERMISSIVE))
> + pr_warn_once("option %s checked before security policy was set!\n",
> + sconfig_name(option));
> + else
> + return false;
Not having a security policy selected outside of permissive mode is a bug, so
I don't think silent forbidding is a good idea.
At the very least, we should print the warning outside permissive mode as well,
if only to tell people if they select the policy too late in their board code.
What's wrong with a panic though?
> +
> + return true;
> +}
> +
> +int security_policy_activate(const struct security_policy *policy)
> +{
> + const struct security_policy *old_policy = active_policy;
> +
> + if (policy == old_policy)
> + return 0;
> +
> + active_policy = policy;
> +
> + for (int i = 0; i < SCONFIG_NUM; i++) {
> + if (__is_allowed(policy, i) == __is_allowed(old_policy, i))
> + continue;
> +
> + notifier_call_chain(&sconfig_notifier_list, i, NULL);
> + }
> +
> + return 0;
> +}
> +
> +const struct security_policy *security_policy_get(const char *name)
> +{
> + const struct policy_list_entry *entry;
> +
> + list_for_each_entry(entry, &policy_list, list) {
> + if (!strcmp(name, entry->policy->name))
> + return entry->policy;
> + }
> +
> + return NULL;
> +}
> +
> +int security_policy_select(const char *name)
> +{
> + const struct security_policy *policy;
> +
> + policy = security_policy_get(name);
> + if (!policy) {
> + policy_err("Policy '%s' not found!\n", name);
> + return -ENOENT;
> + }
> +
> + return security_policy_activate(policy);
> +}
> +
> +int __security_policy_register(const struct security_policy policy[])
> +{
> + int ret = 0;
> +
> + do {
> + struct policy_list_entry *entry;
> +
> + if (security_policy_get(policy->name)) {
> + policy_err("policy '%s' already registered\n", policy->name);
> + ret = -EBUSY;
> + continue;
> + }
> +
> + entry = xzalloc(sizeof(*entry));
> + entry->policy = policy;
> + list_add_tail(&entry->list, &policy_list);
> + } while ((policy++)->chained);
> +
> + return ret;
> +}
> +
> +#ifdef CONFIG_CMD_SCONFIG
> +void security_policy_unregister_one(const struct security_policy *policy)
> +{
> + struct policy_list_entry *entry;
> +
> + if (!policy)
> + return;
> +
> + list_for_each_entry(entry, &policy_list, list) {
> + if (entry->policy == policy) {
> + list_del(&entry->list);
> + return;
> + }
> + }
> +}
> +#endif
> +
> +void security_policy_list(void)
> +{
> + const struct policy_list_entry *entry;
> +
> + list_for_each_entry(entry, &policy_list, list) {
> + printf("%s\n", entry->policy->name);
> + }
> +}
> +
> +static int sconfig_handler_filtered(struct notifier_block *nb,
> + unsigned long opt, void *data)
> +{
> + struct sconfig_notifier_block *snb
> + = container_of(nb, struct sconfig_notifier_block, nb);
> + bool allow;
> +
> + if (snb->opt != opt)
> + return NOTIFY_DONE;
> +
> + allow = is_allowed(NULL, opt);
> +
> + policy_debug(active_policy, opt, "calling %pS to %s\n",
> + snb->cb_filtered, allow ? "allow" : "deny");
> +
> + snb->cb_filtered(snb, opt, is_allowed(NULL, opt));
> + return NOTIFY_OK;
> +}
> +
> +int __sconfig_register_handler_filtered(struct sconfig_notifier_block *snb,
> + sconfig_notifier_callback_t cb,
> + enum security_config_option opt)
> +{
> + snb->cb_filtered = cb;
> + snb->opt = opt;
> + return sconfig_register_handler(&snb->nb, sconfig_handler_filtered);
> +}
> +
> +struct device security_device = {
> + .name = "security",
> + .id = DEVICE_ID_SINGLE,
> +};
> +
> +static char *policy_name = "";
> +
> +static int security_policy_get_name(struct param_d *param, void *priv)
> +{
> + if (!active_policy) {
> + policy_name = "";
> + return 0;
> + }
> +
> + free_const(policy_name);
> + policy_name = strdup(active_policy->name);
> + return 0;
> +}
> +
> +static int security_init(void)
> +{
> + register_device(&security_device);
> +
> + dev_add_param_string(&security_device, "policy", param_set_readonly,
> + security_policy_get_name, &policy_name, NULL);
> +
> + return 0;
> +}
> +pure_initcall(security_init);
> diff --git a/security/sconfig_names.c b/security/sconfig_names.c
> new file mode 100644
> index 0000000000000000000000000000000000000000..c830c4eb389202403e049db6a71b70f0f18b76f5
> --- /dev/null
> +++ b/security/sconfig_names.c
> @@ -0,0 +1,18 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +
> +#include <security/config.h>
> +#include <string.h>
> +#include <errno.h>
> +#include <linux/kernel.h>
> +
> +#include <generated/sconfig_names.h>
> +
> +int sconfig_lookup(const char *name)
> +{
> + for (int i = 0; i < ARRAY_SIZE(sconfig_names); i++) {
> + if (!strcmp(name, sconfig_names[i]))
> + return i;
> + }
> +
> + return -ENOENT;
> +}
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
next prev parent reply other threads:[~2025-09-22 16:15 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-17 13:53 [PATCH v2 00/24] " Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 01/24] kconfig: allow setting CONFIG_ from the outside Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 02/24] scripts: include scripts/include for all host tools Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 03/24] kbuild: implement loopable loop_cmd Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 04/24] Add security policy support Sascha Hauer
2025-09-22 16:14 ` Ahmad Fatoum [this message]
2025-09-23 8:11 ` Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 05/24] kbuild: allow security config use without source tree modification Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 06/24] defaultenv: update PS1 according to security policy Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 07/24] security: policy: support externally provided configs Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 08/24] commands: implement sconfig command Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 09/24] docs: security-policies: add documentation Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 10/24] commands: go: add security config option Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 11/24] console: ratp: " Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 12/24] bootm: support calling bootm_optional_signed_images at any time Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 13/24] bootm: make unsigned image support runtime configurable Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 14/24] ARM: configs: add virt32_secure_defconfig Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 15/24] boards: qemu-virt: add security policies Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 16/24] boards: qemu-virt: allow setting policy from command line Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 17/24] test: py: add basic security policy test Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 18/24] usbserial: add inline wrappers Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 19/24] security: usbgadget: add usbgadget security policy Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 20/24] security: fastboot: add security policy for fastboot oem Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 21/24] security: shell: add policy for executing the shell Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 22/24] security: add security policy for loading barebox environment Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 23/24] security: add filesystem security policies Sascha Hauer
2025-09-22 16:16 ` Ahmad Fatoum
2025-09-23 8:08 ` Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 24/24] security: console: add security policy for console input Sascha Hauer
2025-09-22 16:18 ` [PATCH v2 00/24] Add security policy support Ahmad Fatoum
2025-09-23 8:08 ` Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3d2f3b6b-ff92-4244-bbb4-15657337f72d@pengutronix.de \
--to=a.fatoum@pengutronix.de \
--cc=a.fatoum@barebox.org \
--cc=barebox@lists.infradead.org \
--cc=s.hauer@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox