lsm: Only build lsm_audit.c if CONFIG_SECURITY and CONFIG_AUDIT are set

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

When CONFIG_AUDIT is set, its CONFIG_NET dependency is also set, and the
dev_get_by_index and init_net symbols (used by dump_common_audit_data)
are found by the linker. dump_common_audit_data() should then failed to
build when CONFIG_NET is not set. However, because the compiler is
smart, it knows that audit_log_start() always return NULL when
!CONFIG_AUDIT, and it doesn't build the body of common_lsm_audit(). As
a side effect, dump_common_audit_data() is not built and the linker
doesn't error out because of missing symbols.

Let's only build lsm_audit.o when CONFIG_SECURITY and CONFIG_AUDIT are
both set, which is checked with the new CONFIG_HAS_SECURITY_AUDIT.

ipv4_skb_to_auditdata() and ipv6_skb_to_auditdata() are only used by
Smack if CONFIG_AUDIT is set, so they don't need fake implementations.

Because common_lsm_audit() is used in multiple places without
CONFIG_AUDIT checks, add a fake implementation.

Link: https://lore.kernel.org/r/20241122143353.59367-2-mic@digikod.net
Cc: Casey Schaufler <casey@schaufler-ca.com>
Cc: James Morris <jmorris@namei.org>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Serge E. Hallyn <serge@hallyn.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Paul Moore <paul@paul-moore.com>

authored by

Mickaël Salaün and committed by

Paul Moore 1 year ago 7ccbe076 7a9b65ab

+20 -1

3 changed files

expand all

include

linux

lsm_audit.h

security

Kconfig

Makefile

+14

include/linux/lsm_audit.h

··· 116 116 #define v4info fam.v4 117 117 #define v6info fam.v6 118 118 119 + #ifdef CONFIG_AUDIT 120 + 119 121 int ipv4_skb_to_auditdata(struct sk_buff *skb, 120 122 struct common_audit_data *ad, u8 *proto); 121 123 124 + #if IS_ENABLED(CONFIG_IPV6) 122 125 int ipv6_skb_to_auditdata(struct sk_buff *skb, 123 126 struct common_audit_data *ad, u8 *proto); 127 + #endif /* IS_ENABLED(CONFIG_IPV6) */ 124 128 125 129 void common_lsm_audit(struct common_audit_data *a, 126 130 void (*pre_audit)(struct audit_buffer *, void *), 127 131 void (*post_audit)(struct audit_buffer *, void *)); 132 + 133 + #else /* CONFIG_AUDIT */ 134 + 135 + static inline void common_lsm_audit(struct common_audit_data *a, 136 + void (*pre_audit)(struct audit_buffer *, void *), 137 + void (*post_audit)(struct audit_buffer *, void *)) 138 + { 139 + } 140 + 141 + #endif /* CONFIG_AUDIT */ 128 142 129 143 #endif

security/Kconfig

··· 64 64 65 65 If you are unsure how to answer this question, answer N. 66 66 67 + config HAS_SECURITY_AUDIT 68 + def_bool y 69 + depends on AUDIT 70 + depends on SECURITY 71 + 67 72 config SECURITYFS 68 73 bool "Enable the securityfs filesystem" 69 74 help

+1 -1

security/Makefile

··· 15 15 obj-$(CONFIG_SECURITYFS) += inode.o 16 16 obj-$(CONFIG_SECURITY_SELINUX) += selinux/ 17 17 obj-$(CONFIG_SECURITY_SMACK) += smack/ 18 - obj-$(CONFIG_SECURITY) += lsm_audit.o 18 + obj-$(CONFIG_HAS_SECURITY_AUDIT) += lsm_audit.o 19 19 obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/ 20 20 obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/ 21 21 obj-$(CONFIG_SECURITY_YAMA) += yama/

Configure Feed

Configure Feed