From: Fabian Pflug <f.pflug@pengutronix.de>
To: BAREBOX <barebox@lists.infradead.org>
Cc: Fabian Pflug <f.pflug@pengutronix.de>
Subject: [PATCH 2/4] security: policy: set active policy on boot
Date: Thu, 12 Mar 2026 10:16:43 +0100 [thread overview]
Message-ID: <20260312-v2026-02-0-topic-sconfig_console-v1-2-4c3fccafab1e@pengutronix.de> (raw)
In-Reply-To: <20260312-v2026-02-0-topic-sconfig_console-v1-0-4c3fccafab1e@pengutronix.de>
If init name has been set at compiletime and the policy is available,
because it is part of the path, then set the active policy to the policy
selected by compiletime.
Since this is so early in the bootchain, there is no need to call
security_policy_activate, because there should not be any registered
callbacks at this moment in time.
If no policy could be found, then it will be filled as before by the
first call to is_allowed.
Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
---
security/policy.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/security/policy.c b/security/policy.c
index 85333d9e6f..e2d1b10a78 100644
--- a/security/policy.c
+++ b/security/policy.c
@@ -235,6 +235,9 @@ static int security_init(void)
if (*CONFIG_SECURITY_POLICY_PATH)
security_policy_add(default);
+ if (*CONFIG_SECURITY_POLICY_INIT)
+ active_policy = security_policy_get(CONFIG_SECURITY_POLICY_INIT);
+
return 0;
}
pure_initcall(security_init);
--
2.47.3
next prev parent reply other threads:[~2026-03-12 9:17 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-12 9:16 [PATCH 0/4] Add helper for security policies Fabian Pflug
2026-03-12 9:16 ` [PATCH 1/4] common: bootm: add policy to commandline Fabian Pflug
2026-03-13 13:36 ` Sascha Hauer
2026-03-13 14:26 ` Fabian Pflug
2026-03-13 14:30 ` Sascha Hauer
2026-03-12 9:16 ` Fabian Pflug [this message]
2026-03-12 9:16 ` [PATCH 3/4] security: configure pinctrl based on policy name Fabian Pflug
2026-03-12 9:16 ` [PATCH 4/4] security: kernel_pinctrl: fixup pinctrl in kernel dts Fabian Pflug
2026-03-13 14:10 ` Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260312-v2026-02-0-topic-sconfig_console-v1-2-4c3fccafab1e@pengutronix.de \
--to=f.pflug@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox