From: Fabian Pflug <f.pflug@pengutronix.de>
To: Ahmad Fatoum <a.fatoum@pengutronix.de>,
BAREBOX <barebox@lists.infradead.org>,
Sascha Hauer <s.hauer@pengutronix.de>
Subject: Re: [PATCH v3 3/5] security: policy: set active policy on boot
Date: Wed, 18 Mar 2026 12:38:36 +0100 [thread overview]
Message-ID: <7a04e3afc4460bfb232c688470f384e413d92a94.camel@pengutronix.de> (raw)
In-Reply-To: <f9d5e454-6721-4467-8a6d-2f42f8754ed8@pengutronix.de>
On Wed, 2026-03-18 at 12:28 +0100, Ahmad Fatoum wrote:
> On 3/18/26 10:22, Fabian Pflug wrote:
> > If init name has been set at compiletime and the policy is available,
> > because it is part of the path, then set the active policy to the policy
> > selected by compiletime.
> > Since this is so early in the bootchain, there is no need to call
> > security_policy_activate, because there should not be any registered
> > callbacks at this moment in time.
> > If no policy could be found, then it will be filled as before by the
> > first call to is_allowed.
>
> The code in is_allowed is:
>
> if (!policy && *CONFIG_SECURITY_POLICY_INIT) {
> security_policy_select(CONFIG_SECURITY_POLICY_INIT);
> policy = active_policy;
> }
>
> It becomes dead code with your change here as CONFIG_SECURITY_POLICY_INIT
> is a compile-time constant, there is no filling on the first call anymore.
I also thought about it, but if the initial policy is not part of the compiletime policies, but instead gets added
during board setup code, then the change in init will not find the specified policy, resulting in policy being NULL and
this code still working.
>
> >
> > Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
> > ---
> > security/policy.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/security/policy.c b/security/policy.c
> > index 85333d9e6f..e2d1b10a78 100644
> > --- a/security/policy.c
> > +++ b/security/policy.c
> > @@ -235,6 +235,9 @@ static int security_init(void)
> > if (*CONFIG_SECURITY_POLICY_PATH)
> > security_policy_add(default);
> >
> > + if (*CONFIG_SECURITY_POLICY_INIT)
> > + active_policy = security_policy_get(CONFIG_SECURITY_POLICY_INIT);
> > +
>
> I think I decided initially against this, because there was initially
> a Sconfig option against changing the active security policy.
>
> I believe now a single option is too limiting, it should instead be
> a directed graph that explains which policies are reachable from a given
> policy.
>
> Anyways, the change here invalidates the Kconfig help text for
> SECURITY_POLICY_INIT.
>
> I am not fully sure if this change is a good idea, but it needs to
> be fixed to be considered. I assume you do this, because checking
> the name of the policy doesn't trigger a selection like IS_ALLOWED does?
exactly.
during device_probe, there is a need to know the current policy name, if there is a policy active.
I will have a look into it.
Fabian
>
> Thanks,
> Ahmad
>
>
> > return 0;
> > }
> > pure_initcall(security_init);
> >
>
next prev parent reply other threads:[~2026-03-18 11:39 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-18 9:21 [PATCH v3 0/5] Add helper for security policies Fabian Pflug
2026-03-18 9:21 ` [PATCH v3 1/5] of: add of_property_write_string_array() Fabian Pflug
2026-03-18 9:22 ` [PATCH v3 2/5] common: bootm: add policy to commandline Fabian Pflug
2026-03-18 10:23 ` Sascha Hauer
2026-03-18 9:22 ` [PATCH v3 3/5] security: policy: set active policy on boot Fabian Pflug
2026-03-18 11:28 ` Ahmad Fatoum
2026-03-18 11:38 ` Fabian Pflug [this message]
2026-03-18 11:54 ` Ahmad Fatoum
2026-03-18 12:47 ` Fabian Pflug
2026-03-19 14:58 ` Ahmad Fatoum
2026-03-18 9:22 ` [PATCH v3 4/5] security: configure pinctrl based on policy name Fabian Pflug
2026-03-18 11:43 ` Ahmad Fatoum
2026-03-18 9:22 ` [PATCH v3 5/5] security: kernel_pinctrl: fixup pinctrl in kernel dts Fabian Pflug
2026-03-18 11:53 ` Ahmad Fatoum
2026-03-18 9:57 ` [PATCH v3 0/5] Add helper for security policies Sascha Hauer
2026-03-18 11:43 ` Ahmad Fatoum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7a04e3afc4460bfb232c688470f384e413d92a94.camel@pengutronix.de \
--to=f.pflug@pengutronix.de \
--cc=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
--cc=s.hauer@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox