lsm: split the init code out into lsm_init.c

+1 -2

include/linux/lsm_hooks.h

··· 170 170 __used __section(".early_lsm_info.init") \ 171 171 __aligned(sizeof(unsigned long)) 172 172 173 + 173 174 /* DO NOT tamper with these variables outside of the LSM framework */ 174 175 extern char *lsm_names; 175 176 extern struct lsm_static_calls_table static_calls_table __ro_after_init; 176 - extern struct lsm_info __start_lsm_info[], __end_lsm_info[]; 177 - extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[]; 178 177 179 178 /** 180 179 * lsm_get_xattr_slot - Return the next available slot and increment the index

+1 -1

security/Makefile

··· 11 11 obj-$(CONFIG_MMU) += min_addr.o 12 12 13 13 # Object file lists 14 - obj-$(CONFIG_SECURITY) += security.o lsm_notifier.o 14 + obj-$(CONFIG_SECURITY) += security.o lsm_notifier.o lsm_init.o 15 15 obj-$(CONFIG_SECURITYFS) += inode.o 16 16 obj-$(CONFIG_SECURITY_SELINUX) += selinux/ 17 17 obj-$(CONFIG_SECURITY_SMACK) += smack/

+22

security/lsm.h

··· 1 + // SPDX-License-Identifier: GPL-2.0-or-later 2 + /* 3 + * LSM functions 4 + */ 5 + 6 + #ifndef _LSM_H_ 7 + #define _LSM_H_ 8 + 9 + #include <linux/lsm_hooks.h> 10 + 11 + /* LSM blob configuration */ 12 + extern struct lsm_blob_sizes blob_sizes; 13 + 14 + /* LSM blob caches */ 15 + extern struct kmem_cache *lsm_file_cache; 16 + extern struct kmem_cache *lsm_inode_cache; 17 + 18 + /* LSM blob allocators */ 19 + int lsm_cred_alloc(struct cred *cred, gfp_t gfp); 20 + int lsm_task_alloc(struct task_struct *task); 21 + 22 + #endif /* _LSM_H_ */

+543

security/lsm_init.c

··· 1 + // SPDX-License-Identifier: GPL-2.0-or-later 2 + /* 3 + * LSM initialization functions 4 + */ 5 + 6 + #define pr_fmt(fmt) "LSM: " fmt 7 + 8 + #include <linux/init.h> 9 + #include <linux/lsm_hooks.h> 10 + 11 + #include "lsm.h" 12 + 13 + char *lsm_names; 14 + 15 + /* Pointers to LSM sections defined in include/asm-generic/vmlinux.lds.h */ 16 + extern struct lsm_info __start_lsm_info[], __end_lsm_info[]; 17 + extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[]; 18 + 19 + /* Boot-time LSM user choice */ 20 + static __initconst const char *const builtin_lsm_order = CONFIG_LSM; 21 + static __initdata const char *chosen_lsm_order; 22 + static __initdata const char *chosen_major_lsm; 23 + 24 + /* Ordered list of LSMs to initialize. */ 25 + static __initdata struct lsm_info *ordered_lsms[MAX_LSM_COUNT + 1]; 26 + static __initdata struct lsm_info *exclusive; 27 + 28 + static __initdata bool debug; 29 + #define init_debug(...) \ 30 + do { \ 31 + if (debug) \ 32 + pr_info(__VA_ARGS__); \ 33 + } while (0) 34 + 35 + static int lsm_append(const char *new, char **result); 36 + 37 + /* Save user chosen LSM */ 38 + static int __init choose_major_lsm(char *str) 39 + { 40 + chosen_major_lsm = str; 41 + return 1; 42 + } 43 + __setup("security=", choose_major_lsm); 44 + 45 + /* Explicitly choose LSM initialization order. */ 46 + static int __init choose_lsm_order(char *str) 47 + { 48 + chosen_lsm_order = str; 49 + return 1; 50 + } 51 + __setup("lsm=", choose_lsm_order); 52 + 53 + /* Enable LSM order debugging. */ 54 + static int __init enable_debug(char *str) 55 + { 56 + debug = true; 57 + return 1; 58 + } 59 + __setup("lsm.debug", enable_debug); 60 + 61 + /* Mark an LSM's enabled flag. */ 62 + static int lsm_enabled_true __initdata = 1; 63 + static int lsm_enabled_false __initdata = 0; 64 + static void __init set_enabled(struct lsm_info *lsm, bool enabled) 65 + { 66 + /* 67 + * When an LSM hasn't configured an enable variable, we can use 68 + * a hard-coded location for storing the default enabled state. 69 + */ 70 + if (!lsm->enabled) { 71 + if (enabled) 72 + lsm->enabled = &lsm_enabled_true; 73 + else 74 + lsm->enabled = &lsm_enabled_false; 75 + } else if (lsm->enabled == &lsm_enabled_true) { 76 + if (!enabled) 77 + lsm->enabled = &lsm_enabled_false; 78 + } else if (lsm->enabled == &lsm_enabled_false) { 79 + if (enabled) 80 + lsm->enabled = &lsm_enabled_true; 81 + } else { 82 + *lsm->enabled = enabled; 83 + } 84 + } 85 + 86 + static inline bool is_enabled(struct lsm_info *lsm) 87 + { 88 + if (!lsm->enabled) 89 + return false; 90 + 91 + return *lsm->enabled; 92 + } 93 + 94 + /* Is an LSM already listed in the ordered LSMs list? */ 95 + static bool __init exists_ordered_lsm(struct lsm_info *lsm) 96 + { 97 + struct lsm_info **check; 98 + 99 + for (check = ordered_lsms; *check; check++) 100 + if (*check == lsm) 101 + return true; 102 + 103 + return false; 104 + } 105 + 106 + /* Append an LSM to the list of ordered LSMs to initialize. */ 107 + static int last_lsm __initdata; 108 + static void __init append_ordered_lsm(struct lsm_info *lsm, const char *from) 109 + { 110 + /* Ignore duplicate selections. */ 111 + if (exists_ordered_lsm(lsm)) 112 + return; 113 + 114 + if (WARN(last_lsm == MAX_LSM_COUNT, "%s: out of LSM static calls!?\n", from)) 115 + return; 116 + 117 + /* Enable this LSM, if it is not already set. */ 118 + if (!lsm->enabled) 119 + lsm->enabled = &lsm_enabled_true; 120 + ordered_lsms[last_lsm++] = lsm; 121 + 122 + init_debug("%s ordered: %s (%s)\n", from, lsm->name, 123 + is_enabled(lsm) ? "enabled" : "disabled"); 124 + } 125 + 126 + /* Is an LSM allowed to be initialized? */ 127 + static bool __init lsm_allowed(struct lsm_info *lsm) 128 + { 129 + /* Skip if the LSM is disabled. */ 130 + if (!is_enabled(lsm)) 131 + return false; 132 + 133 + /* Not allowed if another exclusive LSM already initialized. */ 134 + if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && exclusive) { 135 + init_debug("exclusive disabled: %s\n", lsm->name); 136 + return false; 137 + } 138 + 139 + return true; 140 + } 141 + 142 + static void __init lsm_set_blob_size(int *need, int *lbs) 143 + { 144 + int offset; 145 + 146 + if (*need <= 0) 147 + return; 148 + 149 + offset = ALIGN(*lbs, sizeof(void *)); 150 + *lbs = offset + *need; 151 + *need = offset; 152 + } 153 + 154 + static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed) 155 + { 156 + if (!needed) 157 + return; 158 + 159 + lsm_set_blob_size(&needed->lbs_cred, &blob_sizes.lbs_cred); 160 + lsm_set_blob_size(&needed->lbs_file, &blob_sizes.lbs_file); 161 + lsm_set_blob_size(&needed->lbs_ib, &blob_sizes.lbs_ib); 162 + /* 163 + * The inode blob gets an rcu_head in addition to 164 + * what the modules might need. 165 + */ 166 + if (needed->lbs_inode && blob_sizes.lbs_inode == 0) 167 + blob_sizes.lbs_inode = sizeof(struct rcu_head); 168 + lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode); 169 + lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc); 170 + lsm_set_blob_size(&needed->lbs_key, &blob_sizes.lbs_key); 171 + lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg); 172 + lsm_set_blob_size(&needed->lbs_perf_event, &blob_sizes.lbs_perf_event); 173 + lsm_set_blob_size(&needed->lbs_sock, &blob_sizes.lbs_sock); 174 + lsm_set_blob_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock); 175 + lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task); 176 + lsm_set_blob_size(&needed->lbs_tun_dev, &blob_sizes.lbs_tun_dev); 177 + lsm_set_blob_size(&needed->lbs_xattr_count, 178 + &blob_sizes.lbs_xattr_count); 179 + lsm_set_blob_size(&needed->lbs_bdev, &blob_sizes.lbs_bdev); 180 + lsm_set_blob_size(&needed->lbs_bpf_map, &blob_sizes.lbs_bpf_map); 181 + lsm_set_blob_size(&needed->lbs_bpf_prog, &blob_sizes.lbs_bpf_prog); 182 + lsm_set_blob_size(&needed->lbs_bpf_token, &blob_sizes.lbs_bpf_token); 183 + } 184 + 185 + /* Prepare LSM for initialization. */ 186 + static void __init prepare_lsm(struct lsm_info *lsm) 187 + { 188 + int enabled = lsm_allowed(lsm); 189 + 190 + /* Record enablement (to handle any following exclusive LSMs). */ 191 + set_enabled(lsm, enabled); 192 + 193 + /* If enabled, do pre-initialization work. */ 194 + if (enabled) { 195 + if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && !exclusive) { 196 + exclusive = lsm; 197 + init_debug("exclusive chosen: %s\n", lsm->name); 198 + } 199 + 200 + lsm_set_blob_sizes(lsm->blobs); 201 + } 202 + } 203 + 204 + /* Initialize a given LSM, if it is enabled. */ 205 + static void __init initialize_lsm(struct lsm_info *lsm) 206 + { 207 + if (is_enabled(lsm)) { 208 + int ret; 209 + 210 + init_debug("initializing %s\n", lsm->name); 211 + ret = lsm->init(); 212 + WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); 213 + } 214 + } 215 + 216 + /* 217 + * Current index to use while initializing the lsm id list. 218 + */ 219 + u32 lsm_active_cnt __ro_after_init; 220 + const struct lsm_id *lsm_idlist[MAX_LSM_COUNT]; 221 + 222 + /* Populate ordered LSMs list from comma-separated LSM name list. */ 223 + static void __init ordered_lsm_parse(const char *order, const char *origin) 224 + { 225 + struct lsm_info *lsm; 226 + char *sep, *name, *next; 227 + 228 + /* LSM_ORDER_FIRST is always first. */ 229 + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { 230 + if (lsm->order == LSM_ORDER_FIRST) 231 + append_ordered_lsm(lsm, " first"); 232 + } 233 + 234 + /* Process "security=", if given. */ 235 + if (chosen_major_lsm) { 236 + struct lsm_info *major; 237 + 238 + /* 239 + * To match the original "security=" behavior, this 240 + * explicitly does NOT fallback to another Legacy Major 241 + * if the selected one was separately disabled: disable 242 + * all non-matching Legacy Major LSMs. 243 + */ 244 + for (major = __start_lsm_info; major < __end_lsm_info; 245 + major++) { 246 + if ((major->flags & LSM_FLAG_LEGACY_MAJOR) && 247 + strcmp(major->name, chosen_major_lsm) != 0) { 248 + set_enabled(major, false); 249 + init_debug("security=%s disabled: %s (only one legacy major LSM)\n", 250 + chosen_major_lsm, major->name); 251 + } 252 + } 253 + } 254 + 255 + sep = kstrdup(order, GFP_KERNEL); 256 + next = sep; 257 + /* Walk the list, looking for matching LSMs. */ 258 + while ((name = strsep(&next, ",")) != NULL) { 259 + bool found = false; 260 + 261 + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { 262 + if (strcmp(lsm->name, name) == 0) { 263 + if (lsm->order == LSM_ORDER_MUTABLE) 264 + append_ordered_lsm(lsm, origin); 265 + found = true; 266 + } 267 + } 268 + 269 + if (!found) 270 + init_debug("%s ignored: %s (not built into kernel)\n", 271 + origin, name); 272 + } 273 + 274 + /* Process "security=", if given. */ 275 + if (chosen_major_lsm) { 276 + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { 277 + if (exists_ordered_lsm(lsm)) 278 + continue; 279 + if (strcmp(lsm->name, chosen_major_lsm) == 0) 280 + append_ordered_lsm(lsm, "security="); 281 + } 282 + } 283 + 284 + /* LSM_ORDER_LAST is always last. */ 285 + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { 286 + if (lsm->order == LSM_ORDER_LAST) 287 + append_ordered_lsm(lsm, " last"); 288 + } 289 + 290 + /* Disable all LSMs not in the ordered list. */ 291 + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { 292 + if (exists_ordered_lsm(lsm)) 293 + continue; 294 + set_enabled(lsm, false); 295 + init_debug("%s skipped: %s (not in requested order)\n", 296 + origin, lsm->name); 297 + } 298 + 299 + kfree(sep); 300 + } 301 + 302 + static void __init report_lsm_order(void) 303 + { 304 + struct lsm_info **lsm, *early; 305 + int first = 0; 306 + 307 + pr_info("initializing lsm="); 308 + 309 + /* Report each enabled LSM name, comma separated. */ 310 + for (early = __start_early_lsm_info; 311 + early < __end_early_lsm_info; early++) 312 + if (is_enabled(early)) 313 + pr_cont("%s%s", first++ == 0 ? "" : ",", early->name); 314 + for (lsm = ordered_lsms; *lsm; lsm++) 315 + if (is_enabled(*lsm)) 316 + pr_cont("%s%s", first++ == 0 ? "" : ",", (*lsm)->name); 317 + 318 + pr_cont("\n"); 319 + } 320 + 321 + /** 322 + * lsm_early_cred - during initialization allocate a composite cred blob 323 + * @cred: the cred that needs a blob 324 + * 325 + * Allocate the cred blob for all the modules 326 + */ 327 + static void __init lsm_early_cred(struct cred *cred) 328 + { 329 + int rc = lsm_cred_alloc(cred, GFP_KERNEL); 330 + 331 + if (rc) 332 + panic("%s: Early cred alloc failed.\n", __func__); 333 + } 334 + 335 + /** 336 + * lsm_early_task - during initialization allocate a composite task blob 337 + * @task: the task that needs a blob 338 + * 339 + * Allocate the task blob for all the modules 340 + */ 341 + static void __init lsm_early_task(struct task_struct *task) 342 + { 343 + int rc = lsm_task_alloc(task); 344 + 345 + if (rc) 346 + panic("%s: Early task alloc failed.\n", __func__); 347 + } 348 + 349 + static void __init ordered_lsm_init(void) 350 + { 351 + struct lsm_info **lsm; 352 + 353 + if (chosen_lsm_order) { 354 + if (chosen_major_lsm) { 355 + pr_warn("security=%s is ignored because it is superseded by lsm=%s\n", 356 + chosen_major_lsm, chosen_lsm_order); 357 + chosen_major_lsm = NULL; 358 + } 359 + ordered_lsm_parse(chosen_lsm_order, "cmdline"); 360 + } else 361 + ordered_lsm_parse(builtin_lsm_order, "builtin"); 362 + 363 + for (lsm = ordered_lsms; *lsm; lsm++) 364 + prepare_lsm(*lsm); 365 + 366 + report_lsm_order(); 367 + 368 + init_debug("cred blob size = %d\n", blob_sizes.lbs_cred); 369 + init_debug("file blob size = %d\n", blob_sizes.lbs_file); 370 + init_debug("ib blob size = %d\n", blob_sizes.lbs_ib); 371 + init_debug("inode blob size = %d\n", blob_sizes.lbs_inode); 372 + init_debug("ipc blob size = %d\n", blob_sizes.lbs_ipc); 373 + #ifdef CONFIG_KEYS 374 + init_debug("key blob size = %d\n", blob_sizes.lbs_key); 375 + #endif /* CONFIG_KEYS */ 376 + init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg); 377 + init_debug("sock blob size = %d\n", blob_sizes.lbs_sock); 378 + init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock); 379 + init_debug("perf event blob size = %d\n", blob_sizes.lbs_perf_event); 380 + init_debug("task blob size = %d\n", blob_sizes.lbs_task); 381 + init_debug("tun device blob size = %d\n", blob_sizes.lbs_tun_dev); 382 + init_debug("xattr slots = %d\n", blob_sizes.lbs_xattr_count); 383 + init_debug("bdev blob size = %d\n", blob_sizes.lbs_bdev); 384 + init_debug("bpf map blob size = %d\n", blob_sizes.lbs_bpf_map); 385 + init_debug("bpf prog blob size = %d\n", blob_sizes.lbs_bpf_prog); 386 + init_debug("bpf token blob size = %d\n", blob_sizes.lbs_bpf_token); 387 + 388 + /* 389 + * Create any kmem_caches needed for blobs 390 + */ 391 + if (blob_sizes.lbs_file) 392 + lsm_file_cache = kmem_cache_create("lsm_file_cache", 393 + blob_sizes.lbs_file, 0, 394 + SLAB_PANIC, NULL); 395 + if (blob_sizes.lbs_inode) 396 + lsm_inode_cache = kmem_cache_create("lsm_inode_cache", 397 + blob_sizes.lbs_inode, 0, 398 + SLAB_PANIC, NULL); 399 + 400 + lsm_early_cred((struct cred *) current->cred); 401 + lsm_early_task(current); 402 + for (lsm = ordered_lsms; *lsm; lsm++) 403 + initialize_lsm(*lsm); 404 + } 405 + 406 + static bool match_last_lsm(const char *list, const char *lsm) 407 + { 408 + const char *last; 409 + 410 + if (WARN_ON(!list || !lsm)) 411 + return false; 412 + last = strrchr(list, ','); 413 + if (last) 414 + /* Pass the comma, strcmp() will check for '\0' */ 415 + last++; 416 + else 417 + last = list; 418 + return !strcmp(last, lsm); 419 + } 420 + 421 + static int lsm_append(const char *new, char **result) 422 + { 423 + char *cp; 424 + 425 + if (*result == NULL) { 426 + *result = kstrdup(new, GFP_KERNEL); 427 + if (*result == NULL) 428 + return -ENOMEM; 429 + } else { 430 + /* Check if it is the last registered name */ 431 + if (match_last_lsm(*result, new)) 432 + return 0; 433 + cp = kasprintf(GFP_KERNEL, "%s,%s", *result, new); 434 + if (cp == NULL) 435 + return -ENOMEM; 436 + kfree(*result); 437 + *result = cp; 438 + } 439 + return 0; 440 + } 441 + 442 + static void __init lsm_static_call_init(struct security_hook_list *hl) 443 + { 444 + struct lsm_static_call *scall = hl->scalls; 445 + int i; 446 + 447 + for (i = 0; i < MAX_LSM_COUNT; i++) { 448 + /* Update the first static call that is not used yet */ 449 + if (!scall->hl) { 450 + __static_call_update(scall->key, scall->trampoline, 451 + hl->hook.lsm_func_addr); 452 + scall->hl = hl; 453 + static_branch_enable(scall->active); 454 + return; 455 + } 456 + scall++; 457 + } 458 + panic("%s - Ran out of static slots.\n", __func__); 459 + } 460 + 461 + /** 462 + * security_add_hooks - Add a modules hooks to the hook lists. 463 + * @hooks: the hooks to add 464 + * @count: the number of hooks to add 465 + * @lsmid: the identification information for the security module 466 + * 467 + * Each LSM has to register its hooks with the infrastructure. 468 + */ 469 + void __init security_add_hooks(struct security_hook_list *hooks, int count, 470 + const struct lsm_id *lsmid) 471 + { 472 + int i; 473 + 474 + /* 475 + * A security module may call security_add_hooks() more 476 + * than once during initialization, and LSM initialization 477 + * is serialized. Landlock is one such case. 478 + * Look at the previous entry, if there is one, for duplication. 479 + */ 480 + if (lsm_active_cnt == 0 || lsm_idlist[lsm_active_cnt - 1] != lsmid) { 481 + if (lsm_active_cnt >= MAX_LSM_COUNT) 482 + panic("%s Too many LSMs registered.\n", __func__); 483 + lsm_idlist[lsm_active_cnt++] = lsmid; 484 + } 485 + 486 + for (i = 0; i < count; i++) { 487 + hooks[i].lsmid = lsmid; 488 + lsm_static_call_init(&hooks[i]); 489 + } 490 + 491 + /* 492 + * Don't try to append during early_security_init(), we'll come back 493 + * and fix this up afterwards. 494 + */ 495 + if (slab_is_available()) { 496 + if (lsm_append(lsmid->name, &lsm_names) < 0) 497 + panic("%s - Cannot get early memory.\n", __func__); 498 + } 499 + } 500 + 501 + int __init early_security_init(void) 502 + { 503 + struct lsm_info *lsm; 504 + 505 + for (lsm = __start_early_lsm_info; lsm < __end_early_lsm_info; lsm++) { 506 + if (!lsm->enabled) 507 + lsm->enabled = &lsm_enabled_true; 508 + prepare_lsm(lsm); 509 + initialize_lsm(lsm); 510 + } 511 + 512 + return 0; 513 + } 514 + 515 + /** 516 + * security_init - initializes the security framework 517 + * 518 + * This should be called early in the kernel initialization sequence. 519 + */ 520 + int __init security_init(void) 521 + { 522 + struct lsm_info *lsm; 523 + 524 + init_debug("legacy security=%s\n", chosen_major_lsm ? : " *unspecified*"); 525 + init_debug(" CONFIG_LSM=%s\n", builtin_lsm_order); 526 + init_debug("boot arg lsm=%s\n", chosen_lsm_order ? : " *unspecified*"); 527 + 528 + /* 529 + * Append the names of the early LSM modules now that kmalloc() is 530 + * available 531 + */ 532 + for (lsm = __start_early_lsm_info; lsm < __end_early_lsm_info; lsm++) { 533 + init_debug(" early started: %s (%s)\n", lsm->name, 534 + is_enabled(lsm) ? "enabled" : "disabled"); 535 + if (lsm->enabled) 536 + lsm_append(lsm->name, &lsm_names); 537 + } 538 + 539 + /* Load LSMs in specified order. */ 540 + ordered_lsm_init(); 541 + 542 + return 0; 543 + }

+34 -563

security/security.c

··· 32 32 #include <net/flow.h> 33 33 #include <net/sock.h> 34 34 35 - #define SECURITY_HOOK_ACTIVE_KEY(HOOK, IDX) security_hook_active_##HOOK##_##IDX 36 - 37 - /* 38 - * Identifier for the LSM static calls. 39 - * HOOK is an LSM hook as defined in linux/lsm_hookdefs.h 40 - * IDX is the index of the static call. 0 <= NUM < MAX_LSM_COUNT 41 - */ 42 - #define LSM_STATIC_CALL(HOOK, IDX) lsm_static_call_##HOOK##_##IDX 43 - 44 - /* 45 - * Call the macro M for each LSM hook MAX_LSM_COUNT times. 46 - */ 47 - #define LSM_LOOP_UNROLL(M, ...) \ 48 - do { \ 49 - UNROLL(MAX_LSM_COUNT, M, __VA_ARGS__) \ 50 - } while (0) 51 - 52 - #define LSM_DEFINE_UNROLL(M, ...) UNROLL(MAX_LSM_COUNT, M, __VA_ARGS__) 35 + #include "lsm.h" 53 36 54 37 /* 55 38 * These are descriptions of the reasons that can be passed to the ··· 73 90 [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", 74 91 }; 75 92 76 - static struct kmem_cache *lsm_file_cache; 77 - static struct kmem_cache *lsm_inode_cache; 93 + struct lsm_blob_sizes blob_sizes; 78 94 79 - char *lsm_names; 80 - static struct lsm_blob_sizes blob_sizes __ro_after_init; 95 + struct kmem_cache *lsm_file_cache; 96 + struct kmem_cache *lsm_inode_cache; 81 97 82 - /* Boot-time LSM user choice */ 83 - static __initdata const char *chosen_lsm_order; 84 - static __initdata const char *chosen_major_lsm; 98 + #define SECURITY_HOOK_ACTIVE_KEY(HOOK, IDX) security_hook_active_##HOOK##_##IDX 85 99 86 - static __initconst const char *const builtin_lsm_order = CONFIG_LSM; 100 + /* 101 + * Identifier for the LSM static calls. 102 + * HOOK is an LSM hook as defined in linux/lsm_hookdefs.h 103 + * IDX is the index of the static call. 0 <= NUM < MAX_LSM_COUNT 104 + */ 105 + #define LSM_STATIC_CALL(HOOK, IDX) lsm_static_call_##HOOK##_##IDX 87 106 88 - /* Ordered list of LSMs to initialize. */ 89 - static __initdata struct lsm_info *ordered_lsms[MAX_LSM_COUNT + 1]; 90 - static __initdata struct lsm_info *exclusive; 107 + /* 108 + * Call the macro M for each LSM hook MAX_LSM_COUNT times. 109 + */ 110 + #define LSM_LOOP_UNROLL(M, ...) \ 111 + do { \ 112 + UNROLL(MAX_LSM_COUNT, M, __VA_ARGS__) \ 113 + } while (0) 114 + 115 + #define LSM_DEFINE_UNROLL(M, ...) UNROLL(MAX_LSM_COUNT, M, __VA_ARGS__) 91 116 92 117 #ifdef CONFIG_HAVE_STATIC_CALL 93 118 #define LSM_HOOK_TRAMP(NAME, NUM) \ ··· 146 155 #undef INIT_LSM_STATIC_CALL 147 156 }; 148 157 149 - static __initdata bool debug; 150 - #define init_debug(...) \ 151 - do { \ 152 - if (debug) \ 153 - pr_info(__VA_ARGS__); \ 154 - } while (0) 155 - 156 - static bool __init is_enabled(struct lsm_info *lsm) 157 - { 158 - if (!lsm->enabled) 159 - return false; 160 - 161 - return *lsm->enabled; 162 - } 163 - 164 - /* Mark an LSM's enabled flag. */ 165 - static int lsm_enabled_true __initdata = 1; 166 - static int lsm_enabled_false __initdata = 0; 167 - static void __init set_enabled(struct lsm_info *lsm, bool enabled) 168 - { 169 - /* 170 - * When an LSM hasn't configured an enable variable, we can use 171 - * a hard-coded location for storing the default enabled state. 172 - */ 173 - if (!lsm->enabled) { 174 - if (enabled) 175 - lsm->enabled = &lsm_enabled_true; 176 - else 177 - lsm->enabled = &lsm_enabled_false; 178 - } else if (lsm->enabled == &lsm_enabled_true) { 179 - if (!enabled) 180 - lsm->enabled = &lsm_enabled_false; 181 - } else if (lsm->enabled == &lsm_enabled_false) { 182 - if (enabled) 183 - lsm->enabled = &lsm_enabled_true; 184 - } else { 185 - *lsm->enabled = enabled; 186 - } 187 - } 188 - 189 - /* Is an LSM already listed in the ordered LSMs list? */ 190 - static bool __init exists_ordered_lsm(struct lsm_info *lsm) 191 - { 192 - struct lsm_info **check; 193 - 194 - for (check = ordered_lsms; *check; check++) 195 - if (*check == lsm) 196 - return true; 197 - 198 - return false; 199 - } 200 - 201 - /* Append an LSM to the list of ordered LSMs to initialize. */ 202 - static int last_lsm __initdata; 203 - static void __init append_ordered_lsm(struct lsm_info *lsm, const char *from) 204 - { 205 - /* Ignore duplicate selections. */ 206 - if (exists_ordered_lsm(lsm)) 207 - return; 208 - 209 - if (WARN(last_lsm == MAX_LSM_COUNT, "%s: out of LSM static calls!?\n", from)) 210 - return; 211 - 212 - /* Enable this LSM, if it is not already set. */ 213 - if (!lsm->enabled) 214 - lsm->enabled = &lsm_enabled_true; 215 - ordered_lsms[last_lsm++] = lsm; 216 - 217 - init_debug("%s ordered: %s (%s)\n", from, lsm->name, 218 - is_enabled(lsm) ? "enabled" : "disabled"); 219 - } 220 - 221 - /* Is an LSM allowed to be initialized? */ 222 - static bool __init lsm_allowed(struct lsm_info *lsm) 223 - { 224 - /* Skip if the LSM is disabled. */ 225 - if (!is_enabled(lsm)) 226 - return false; 227 - 228 - /* Not allowed if another exclusive LSM already initialized. */ 229 - if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && exclusive) { 230 - init_debug("exclusive disabled: %s\n", lsm->name); 231 - return false; 232 - } 233 - 234 - return true; 235 - } 236 - 237 - static void __init lsm_set_blob_size(int *need, int *lbs) 238 - { 239 - int offset; 240 - 241 - if (*need <= 0) 242 - return; 243 - 244 - offset = ALIGN(*lbs, sizeof(void *)); 245 - *lbs = offset + *need; 246 - *need = offset; 247 - } 248 - 249 - static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed) 250 - { 251 - if (!needed) 252 - return; 253 - 254 - lsm_set_blob_size(&needed->lbs_cred, &blob_sizes.lbs_cred); 255 - lsm_set_blob_size(&needed->lbs_file, &blob_sizes.lbs_file); 256 - lsm_set_blob_size(&needed->lbs_ib, &blob_sizes.lbs_ib); 257 - /* 258 - * The inode blob gets an rcu_head in addition to 259 - * what the modules might need. 260 - */ 261 - if (needed->lbs_inode && blob_sizes.lbs_inode == 0) 262 - blob_sizes.lbs_inode = sizeof(struct rcu_head); 263 - lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode); 264 - lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc); 265 - lsm_set_blob_size(&needed->lbs_key, &blob_sizes.lbs_key); 266 - lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg); 267 - lsm_set_blob_size(&needed->lbs_perf_event, &blob_sizes.lbs_perf_event); 268 - lsm_set_blob_size(&needed->lbs_sock, &blob_sizes.lbs_sock); 269 - lsm_set_blob_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock); 270 - lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task); 271 - lsm_set_blob_size(&needed->lbs_tun_dev, &blob_sizes.lbs_tun_dev); 272 - lsm_set_blob_size(&needed->lbs_xattr_count, 273 - &blob_sizes.lbs_xattr_count); 274 - lsm_set_blob_size(&needed->lbs_bdev, &blob_sizes.lbs_bdev); 275 - lsm_set_blob_size(&needed->lbs_bpf_map, &blob_sizes.lbs_bpf_map); 276 - lsm_set_blob_size(&needed->lbs_bpf_prog, &blob_sizes.lbs_bpf_prog); 277 - lsm_set_blob_size(&needed->lbs_bpf_token, &blob_sizes.lbs_bpf_token); 278 - } 279 - 280 - /* Prepare LSM for initialization. */ 281 - static void __init prepare_lsm(struct lsm_info *lsm) 282 - { 283 - int enabled = lsm_allowed(lsm); 284 - 285 - /* Record enablement (to handle any following exclusive LSMs). */ 286 - set_enabled(lsm, enabled); 287 - 288 - /* If enabled, do pre-initialization work. */ 289 - if (enabled) { 290 - if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && !exclusive) { 291 - exclusive = lsm; 292 - init_debug("exclusive chosen: %s\n", lsm->name); 293 - } 294 - 295 - lsm_set_blob_sizes(lsm->blobs); 296 - } 297 - } 298 - 299 - /* Initialize a given LSM, if it is enabled. */ 300 - static void __init initialize_lsm(struct lsm_info *lsm) 301 - { 302 - if (is_enabled(lsm)) { 303 - int ret; 304 - 305 - init_debug("initializing %s\n", lsm->name); 306 - ret = lsm->init(); 307 - WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); 308 - } 309 - } 310 - 311 - /* 312 - * Current index to use while initializing the lsm id list. 313 - */ 314 - u32 lsm_active_cnt __ro_after_init; 315 - const struct lsm_id *lsm_idlist[MAX_LSM_COUNT]; 316 - 317 - /* Populate ordered LSMs list from comma-separated LSM name list. */ 318 - static void __init ordered_lsm_parse(const char *order, const char *origin) 319 - { 320 - struct lsm_info *lsm; 321 - char *sep, *name, *next; 322 - 323 - /* LSM_ORDER_FIRST is always first. */ 324 - for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { 325 - if (lsm->order == LSM_ORDER_FIRST) 326 - append_ordered_lsm(lsm, " first"); 327 - } 328 - 329 - /* Process "security=", if given. */ 330 - if (chosen_major_lsm) { 331 - struct lsm_info *major; 332 - 333 - /* 334 - * To match the original "security=" behavior, this 335 - * explicitly does NOT fallback to another Legacy Major 336 - * if the selected one was separately disabled: disable 337 - * all non-matching Legacy Major LSMs. 338 - */ 339 - for (major = __start_lsm_info; major < __end_lsm_info; 340 - major++) { 341 - if ((major->flags & LSM_FLAG_LEGACY_MAJOR) && 342 - strcmp(major->name, chosen_major_lsm) != 0) { 343 - set_enabled(major, false); 344 - init_debug("security=%s disabled: %s (only one legacy major LSM)\n", 345 - chosen_major_lsm, major->name); 346 - } 347 - } 348 - } 349 - 350 - sep = kstrdup(order, GFP_KERNEL); 351 - next = sep; 352 - /* Walk the list, looking for matching LSMs. */ 353 - while ((name = strsep(&next, ",")) != NULL) { 354 - bool found = false; 355 - 356 - for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { 357 - if (strcmp(lsm->name, name) == 0) { 358 - if (lsm->order == LSM_ORDER_MUTABLE) 359 - append_ordered_lsm(lsm, origin); 360 - found = true; 361 - } 362 - } 363 - 364 - if (!found) 365 - init_debug("%s ignored: %s (not built into kernel)\n", 366 - origin, name); 367 - } 368 - 369 - /* Process "security=", if given. */ 370 - if (chosen_major_lsm) { 371 - for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { 372 - if (exists_ordered_lsm(lsm)) 373 - continue; 374 - if (strcmp(lsm->name, chosen_major_lsm) == 0) 375 - append_ordered_lsm(lsm, "security="); 376 - } 377 - } 378 - 379 - /* LSM_ORDER_LAST is always last. */ 380 - for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { 381 - if (lsm->order == LSM_ORDER_LAST) 382 - append_ordered_lsm(lsm, " last"); 383 - } 384 - 385 - /* Disable all LSMs not in the ordered list. */ 386 - for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { 387 - if (exists_ordered_lsm(lsm)) 388 - continue; 389 - set_enabled(lsm, false); 390 - init_debug("%s skipped: %s (not in requested order)\n", 391 - origin, lsm->name); 392 - } 393 - 394 - kfree(sep); 395 - } 396 - 397 - static void __init lsm_static_call_init(struct security_hook_list *hl) 398 - { 399 - struct lsm_static_call *scall = hl->scalls; 400 - int i; 401 - 402 - for (i = 0; i < MAX_LSM_COUNT; i++) { 403 - /* Update the first static call that is not used yet */ 404 - if (!scall->hl) { 405 - __static_call_update(scall->key, scall->trampoline, 406 - hl->hook.lsm_func_addr); 407 - scall->hl = hl; 408 - static_branch_enable(scall->active); 409 - return; 410 - } 411 - scall++; 412 - } 413 - panic("%s - Ran out of static slots.\n", __func__); 414 - } 415 - 416 - static void __init lsm_early_cred(struct cred *cred); 417 - static void __init lsm_early_task(struct task_struct *task); 418 - 419 - static int lsm_append(const char *new, char **result); 420 - 421 - static void __init report_lsm_order(void) 422 - { 423 - struct lsm_info **lsm, *early; 424 - int first = 0; 425 - 426 - pr_info("initializing lsm="); 427 - 428 - /* Report each enabled LSM name, comma separated. */ 429 - for (early = __start_early_lsm_info; 430 - early < __end_early_lsm_info; early++) 431 - if (is_enabled(early)) 432 - pr_cont("%s%s", first++ == 0 ? "" : ",", early->name); 433 - for (lsm = ordered_lsms; *lsm; lsm++) 434 - if (is_enabled(*lsm)) 435 - pr_cont("%s%s", first++ == 0 ? "" : ",", (*lsm)->name); 436 - 437 - pr_cont("\n"); 438 - } 439 - 440 - static void __init ordered_lsm_init(void) 441 - { 442 - struct lsm_info **lsm; 443 - 444 - if (chosen_lsm_order) { 445 - if (chosen_major_lsm) { 446 - pr_warn("security=%s is ignored because it is superseded by lsm=%s\n", 447 - chosen_major_lsm, chosen_lsm_order); 448 - chosen_major_lsm = NULL; 449 - } 450 - ordered_lsm_parse(chosen_lsm_order, "cmdline"); 451 - } else 452 - ordered_lsm_parse(builtin_lsm_order, "builtin"); 453 - 454 - for (lsm = ordered_lsms; *lsm; lsm++) 455 - prepare_lsm(*lsm); 456 - 457 - report_lsm_order(); 458 - 459 - init_debug("cred blob size = %d\n", blob_sizes.lbs_cred); 460 - init_debug("file blob size = %d\n", blob_sizes.lbs_file); 461 - init_debug("ib blob size = %d\n", blob_sizes.lbs_ib); 462 - init_debug("inode blob size = %d\n", blob_sizes.lbs_inode); 463 - init_debug("ipc blob size = %d\n", blob_sizes.lbs_ipc); 464 - #ifdef CONFIG_KEYS 465 - init_debug("key blob size = %d\n", blob_sizes.lbs_key); 466 - #endif /* CONFIG_KEYS */ 467 - init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg); 468 - init_debug("sock blob size = %d\n", blob_sizes.lbs_sock); 469 - init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock); 470 - init_debug("perf event blob size = %d\n", blob_sizes.lbs_perf_event); 471 - init_debug("task blob size = %d\n", blob_sizes.lbs_task); 472 - init_debug("tun device blob size = %d\n", blob_sizes.lbs_tun_dev); 473 - init_debug("xattr slots = %d\n", blob_sizes.lbs_xattr_count); 474 - init_debug("bdev blob size = %d\n", blob_sizes.lbs_bdev); 475 - init_debug("bpf map blob size = %d\n", blob_sizes.lbs_bpf_map); 476 - init_debug("bpf prog blob size = %d\n", blob_sizes.lbs_bpf_prog); 477 - init_debug("bpf token blob size = %d\n", blob_sizes.lbs_bpf_token); 478 - 479 - /* 480 - * Create any kmem_caches needed for blobs 481 - */ 482 - if (blob_sizes.lbs_file) 483 - lsm_file_cache = kmem_cache_create("lsm_file_cache", 484 - blob_sizes.lbs_file, 0, 485 - SLAB_PANIC, NULL); 486 - if (blob_sizes.lbs_inode) 487 - lsm_inode_cache = kmem_cache_create("lsm_inode_cache", 488 - blob_sizes.lbs_inode, 0, 489 - SLAB_PANIC, NULL); 490 - 491 - lsm_early_cred((struct cred *) current->cred); 492 - lsm_early_task(current); 493 - for (lsm = ordered_lsms; *lsm; lsm++) 494 - initialize_lsm(*lsm); 495 - } 496 - 497 - int __init early_security_init(void) 498 - { 499 - struct lsm_info *lsm; 500 - 501 - for (lsm = __start_early_lsm_info; lsm < __end_early_lsm_info; lsm++) { 502 - if (!lsm->enabled) 503 - lsm->enabled = &lsm_enabled_true; 504 - prepare_lsm(lsm); 505 - initialize_lsm(lsm); 506 - } 507 - 508 - return 0; 509 - } 510 - 511 158 /** 512 - * security_init - initializes the security framework 159 + * lsm_file_alloc - allocate a composite file blob 160 + * @file: the file that needs a blob 513 161 * 514 - * This should be called early in the kernel initialization sequence. 515 - */ 516 - int __init security_init(void) 517 - { 518 - struct lsm_info *lsm; 519 - 520 - init_debug("legacy security=%s\n", chosen_major_lsm ? : " *unspecified*"); 521 - init_debug(" CONFIG_LSM=%s\n", builtin_lsm_order); 522 - init_debug("boot arg lsm=%s\n", chosen_lsm_order ? : " *unspecified*"); 523 - 524 - /* 525 - * Append the names of the early LSM modules now that kmalloc() is 526 - * available 527 - */ 528 - for (lsm = __start_early_lsm_info; lsm < __end_early_lsm_info; lsm++) { 529 - init_debug(" early started: %s (%s)\n", lsm->name, 530 - is_enabled(lsm) ? "enabled" : "disabled"); 531 - if (lsm->enabled) 532 - lsm_append(lsm->name, &lsm_names); 533 - } 534 - 535 - /* Load LSMs in specified order. */ 536 - ordered_lsm_init(); 537 - 538 - return 0; 539 - } 540 - 541 - /* Save user chosen LSM */ 542 - static int __init choose_major_lsm(char *str) 543 - { 544 - chosen_major_lsm = str; 545 - return 1; 546 - } 547 - __setup("security=", choose_major_lsm); 548 - 549 - /* Explicitly choose LSM initialization order. */ 550 - static int __init choose_lsm_order(char *str) 551 - { 552 - chosen_lsm_order = str; 553 - return 1; 554 - } 555 - __setup("lsm=", choose_lsm_order); 556 - 557 - /* Enable LSM order debugging. */ 558 - static int __init enable_debug(char *str) 559 - { 560 - debug = true; 561 - return 1; 562 - } 563 - __setup("lsm.debug", enable_debug); 564 - 565 - static bool match_last_lsm(const char *list, const char *lsm) 566 - { 567 - const char *last; 568 - 569 - if (WARN_ON(!list || !lsm)) 570 - return false; 571 - last = strrchr(list, ','); 572 - if (last) 573 - /* Pass the comma, strcmp() will check for '\0' */ 574 - last++; 575 - else 576 - last = list; 577 - return !strcmp(last, lsm); 578 - } 579 - 580 - static int lsm_append(const char *new, char **result) 581 - { 582 - char *cp; 583 - 584 - if (*result == NULL) { 585 - *result = kstrdup(new, GFP_KERNEL); 586 - if (*result == NULL) 587 - return -ENOMEM; 588 - } else { 589 - /* Check if it is the last registered name */ 590 - if (match_last_lsm(*result, new)) 591 - return 0; 592 - cp = kasprintf(GFP_KERNEL, "%s,%s", *result, new); 593 - if (cp == NULL) 594 - return -ENOMEM; 595 - kfree(*result); 596 - *result = cp; 597 - } 598 - return 0; 599 - } 600 - 601 - /** 602 - * security_add_hooks - Add a modules hooks to the hook lists. 603 - * @hooks: the hooks to add 604 - * @count: the number of hooks to add 605 - * @lsmid: the identification information for the security module 162 + * Allocate the file blob for all the modules 606 163 * 607 - * Each LSM has to register its hooks with the infrastructure. 164 + * Returns 0, or -ENOMEM if memory can't be allocated. 608 165 */ 609 - void __init security_add_hooks(struct security_hook_list *hooks, int count, 610 - const struct lsm_id *lsmid) 166 + static int lsm_file_alloc(struct file *file) 611 167 { 612 - int i; 613 - 614 - /* 615 - * A security module may call security_add_hooks() more 616 - * than once during initialization, and LSM initialization 617 - * is serialized. Landlock is one such case. 618 - * Look at the previous entry, if there is one, for duplication. 619 - */ 620 - if (lsm_active_cnt == 0 || lsm_idlist[lsm_active_cnt - 1] != lsmid) { 621 - if (lsm_active_cnt >= MAX_LSM_COUNT) 622 - panic("%s Too many LSMs registered.\n", __func__); 623 - lsm_idlist[lsm_active_cnt++] = lsmid; 168 + if (!lsm_file_cache) { 169 + file->f_security = NULL; 170 + return 0; 624 171 } 625 172 626 - for (i = 0; i < count; i++) { 627 - hooks[i].lsmid = lsmid; 628 - lsm_static_call_init(&hooks[i]); 629 - } 630 - 631 - /* 632 - * Don't try to append during early_security_init(), we'll come back 633 - * and fix this up afterwards. 634 - */ 635 - if (slab_is_available()) { 636 - if (lsm_append(lsmid->name, &lsm_names) < 0) 637 - panic("%s - Cannot get early memory.\n", __func__); 638 - } 173 + file->f_security = kmem_cache_zalloc(lsm_file_cache, GFP_KERNEL); 174 + if (file->f_security == NULL) 175 + return -ENOMEM; 176 + return 0; 639 177 } 640 178 641 179 /** ··· 199 679 * 200 680 * Returns 0, or -ENOMEM if memory can't be allocated. 201 681 */ 202 - static int lsm_cred_alloc(struct cred *cred, gfp_t gfp) 682 + int lsm_cred_alloc(struct cred *cred, gfp_t gfp) 203 683 { 204 684 return lsm_blob_alloc(&cred->security, blob_sizes.lbs_cred, gfp); 205 - } 206 - 207 - /** 208 - * lsm_early_cred - during initialization allocate a composite cred blob 209 - * @cred: the cred that needs a blob 210 - * 211 - * Allocate the cred blob for all the modules 212 - */ 213 - static void __init lsm_early_cred(struct cred *cred) 214 - { 215 - int rc = lsm_cred_alloc(cred, GFP_KERNEL); 216 - 217 - if (rc) 218 - panic("%s: Early cred alloc failed.\n", __func__); 219 - } 220 - 221 - /** 222 - * lsm_file_alloc - allocate a composite file blob 223 - * @file: the file that needs a blob 224 - * 225 - * Allocate the file blob for all the modules 226 - * 227 - * Returns 0, or -ENOMEM if memory can't be allocated. 228 - */ 229 - static int lsm_file_alloc(struct file *file) 230 - { 231 - if (!lsm_file_cache) { 232 - file->f_security = NULL; 233 - return 0; 234 - } 235 - 236 - file->f_security = kmem_cache_zalloc(lsm_file_cache, GFP_KERNEL); 237 - if (file->f_security == NULL) 238 - return -ENOMEM; 239 - return 0; 240 685 } 241 686 242 687 /** ··· 234 749 * 235 750 * Returns 0, or -ENOMEM if memory can't be allocated. 236 751 */ 237 - static int lsm_task_alloc(struct task_struct *task) 752 + int lsm_task_alloc(struct task_struct *task) 238 753 { 239 754 return lsm_blob_alloc(&task->security, blob_sizes.lbs_task, GFP_KERNEL); 240 755 } ··· 335 850 return lsm_blob_alloc(&token->security, blob_sizes.lbs_bpf_token, GFP_KERNEL); 336 851 } 337 852 #endif /* CONFIG_BPF_SYSCALL */ 338 - 339 - /** 340 - * lsm_early_task - during initialization allocate a composite task blob 341 - * @task: the task that needs a blob 342 - * 343 - * Allocate the task blob for all the modules 344 - */ 345 - static void __init lsm_early_task(struct task_struct *task) 346 - { 347 - int rc = lsm_task_alloc(task); 348 - 349 - if (rc) 350 - panic("%s: Early task alloc failed.\n", __func__); 351 - } 352 853 353 854 /** 354 855 * lsm_superblock_alloc - allocate a composite superblock blob

Configure Feed

Configure Feed