From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: Fabian Pflug <f.pflug@pengutronix.de>,
BAREBOX <barebox@lists.infradead.org>,
Sascha Hauer <s.hauer@pengutronix.de>
Subject: Re: [PATCH v5 3/7] security: policy: remove global active_policy var
Date: Fri, 20 Mar 2026 08:29:45 +0100 [thread overview]
Message-ID: <b61a4d62-72d3-41fd-bc51-be8c058b2618@pengutronix.de> (raw)
In-Reply-To: <20260320-v2026-02-0-topic-sconfig_console-v5-3-2efcaa7cb03e@pengutronix.de>
On 3/20/26 08:17, Fabian Pflug wrote:
> Replace with a getter function called security_policy_get_active(), that
> automatically initializes the active_policy, if an initial policy is
> set.
>
> Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
With below point addressed:
Reviewed-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
> @@ -25,9 +25,8 @@
> #define POLICY_TAMPER "tamper"
> #define POLICY_FIELD_RETURN "return"
>
> -extern const struct security_policy *active_policy;
The definition should be made static then.
> -
> const struct security_policy *security_policy_get(const char *name);
> +const struct security_policy *security_policy_get_active(void);
>
> int security_policy_activate(const struct security_policy *policy);
> int security_policy_select(const char *name);
> diff --git a/security/Kconfig.policy b/security/Kconfig.policy
> index 9ea52e91da..e778327b0d 100644
> --- a/security/Kconfig.policy
> +++ b/security/Kconfig.policy
> @@ -49,7 +49,8 @@ config SECURITY_POLICY_INIT
> prompt "Initial security policy"
> help
> The policy named here will be automatically selected the first
> - time a security policy is to be consulted.
> + time a security policy is to be consulted or the currently active
> + policy is queried.
> It's recommended to use a restrictive policy here and remove
> the restrictions if needed instead of the other way round.
>
> diff --git a/security/policy.c b/security/policy.c
> index 95e7bf99a2..fce527df67 100644
> --- a/security/policy.c
> +++ b/security/policy.c
> @@ -60,15 +60,12 @@ static bool __is_allowed(const struct security_policy *policy, unsigned option)
>
> bool is_allowed(const struct security_policy *policy, unsigned option)
> {
> - policy = policy ?: active_policy;
> -
> if (WARN(option > SCONFIG_NUM))
> return false;
>
> - if (!policy && *CONFIG_SECURITY_POLICY_INIT) {
> - security_policy_select(CONFIG_SECURITY_POLICY_INIT);
> - policy = active_policy;
> - }
> + /* initialize and use active policy if none is selected */
> + if (!policy)
> + policy = security_policy_get_active();
>
> if (policy) {
> bool allow = __is_allowed(policy, option);
> @@ -108,6 +105,13 @@ int security_policy_activate(const struct security_policy *policy)
> return 0;
> }
>
> +const struct security_policy *security_policy_get_active(void)
> +{
> + if (!active_policy && *CONFIG_SECURITY_POLICY_INIT)
> + security_policy_select(CONFIG_SECURITY_POLICY_INIT);
> + return active_policy;
> +}
> +
> const struct security_policy *security_policy_get(const char *name)
> {
> const struct policy_list_entry *entry;
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
next prev parent reply other threads:[~2026-03-20 7:30 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-20 7:17 [PATCH v5 0/7] Add helper for security policies Fabian Pflug
2026-03-20 7:17 ` [PATCH v5 1/7] of: add of_property_write_string_array() Fabian Pflug
2026-03-20 7:17 ` [PATCH v5 2/7] security: policy: sanity check parameters Fabian Pflug
2026-03-20 7:17 ` [PATCH v5 3/7] security: policy: remove global active_policy var Fabian Pflug
2026-03-20 7:29 ` Ahmad Fatoum [this message]
2026-03-20 7:17 ` [PATCH v5 4/7] security: policy: add notifier chain for name change Fabian Pflug
2026-03-20 7:17 ` [PATCH v5 5/7] common: bootm: add policy to commandline Fabian Pflug
2026-03-20 7:17 ` [PATCH v5 6/7] drivers: pinctrl: configure pinctrl based on policy name Fabian Pflug
2026-03-20 7:17 ` [PATCH v5 7/7] security: kernel_pinctrl: fixup pinctrl in kernel dts Fabian Pflug
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b61a4d62-72d3-41fd-bc51-be8c058b2618@pengutronix.de \
--to=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
--cc=f.pflug@pengutronix.de \
--cc=s.hauer@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox