From 7ccbe076d987598b04b4b9c9b61f042291f9cc77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= Date: Fri, 22 Nov 2024 15:33:31 +0100 Subject: [PATCH] lsm: Only build lsm_audit.c if CONFIG_SECURITY and CONFIG_AUDIT are set MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When CONFIG_AUDIT is set, its CONFIG_NET dependency is also set, and the dev_get_by_index and init_net symbols (used by dump_common_audit_data) are found by the linker. dump_common_audit_data() should then failed to build when CONFIG_NET is not set. However, because the compiler is smart, it knows that audit_log_start() always return NULL when !CONFIG_AUDIT, and it doesn't build the body of common_lsm_audit(). As a side effect, dump_common_audit_data() is not built and the linker doesn't error out because of missing symbols. Let's only build lsm_audit.o when CONFIG_SECURITY and CONFIG_AUDIT are both set, which is checked with the new CONFIG_HAS_SECURITY_AUDIT. ipv4_skb_to_auditdata() and ipv6_skb_to_auditdata() are only used by Smack if CONFIG_AUDIT is set, so they don't need fake implementations. Because common_lsm_audit() is used in multiple places without CONFIG_AUDIT checks, add a fake implementation. Link: https://lore.kernel.org/r/20241122143353.59367-2-mic@digikod.net Cc: Casey Schaufler Cc: James Morris Cc: Paul Moore Cc: Serge E. Hallyn Signed-off-by: Mickaël Salaün Signed-off-by: Paul Moore --- include/linux/lsm_audit.h | 14 ++++++++++++++ security/Kconfig | 5 +++++ security/Makefile | 2 +- 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h index 97a8b21eb033..c2b01380262c 100644 --- a/include/linux/lsm_audit.h +++ b/include/linux/lsm_audit.h @@ -116,14 +116,28 @@ struct common_audit_data { #define v4info fam.v4 #define v6info fam.v6 +#ifdef CONFIG_AUDIT + int ipv4_skb_to_auditdata(struct sk_buff *skb, struct common_audit_data *ad, u8 *proto); +#if IS_ENABLED(CONFIG_IPV6) int ipv6_skb_to_auditdata(struct sk_buff *skb, struct common_audit_data *ad, u8 *proto); +#endif /* IS_ENABLED(CONFIG_IPV6) */ void common_lsm_audit(struct common_audit_data *a, void (*pre_audit)(struct audit_buffer *, void *), void (*post_audit)(struct audit_buffer *, void *)); +#else /* CONFIG_AUDIT */ + +static inline void common_lsm_audit(struct common_audit_data *a, + void (*pre_audit)(struct audit_buffer *, void *), + void (*post_audit)(struct audit_buffer *, void *)) +{ +} + +#endif /* CONFIG_AUDIT */ + #endif diff --git a/security/Kconfig b/security/Kconfig index 28e685f53bd1..f10dbf15c294 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -64,6 +64,11 @@ config SECURITY If you are unsure how to answer this question, answer N. +config HAS_SECURITY_AUDIT + def_bool y + depends on AUDIT + depends on SECURITY + config SECURITYFS bool "Enable the securityfs filesystem" help diff --git a/security/Makefile b/security/Makefile index cc0982214b84..22ff4c8bd8ce 100644 --- a/security/Makefile +++ b/security/Makefile @@ -15,7 +15,7 @@ obj-$(CONFIG_SECURITY) += security.o obj-$(CONFIG_SECURITYFS) += inode.o obj-$(CONFIG_SECURITY_SELINUX) += selinux/ obj-$(CONFIG_SECURITY_SMACK) += smack/ -obj-$(CONFIG_SECURITY) += lsm_audit.o +obj-$(CONFIG_HAS_SECURITY_AUDIT) += lsm_audit.o obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/ obj-$(CONFIG_SECURITY_YAMA) += yama/