[PATCH v2 3/5] security: policy: set active policy on boot
Fabian Pflug
f.pflug at pengutronix.de
Mon Mar 16 04:36:30 PDT 2026
If init name has been set at compiletime and the policy is available,
because it is part of the path, then set the active policy to the policy
selected by compiletime.
Since this is so early in the bootchain, there is no need to call
security_policy_activate, because there should not be any registered
callbacks at this moment in time.
If no policy could be found, then it will be filled as before by the
first call to is_allowed.
Signed-off-by: Fabian Pflug <f.pflug at pengutronix.de>
---
security/policy.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/security/policy.c b/security/policy.c
index 85333d9e6f..e2d1b10a78 100644
--- a/security/policy.c
+++ b/security/policy.c
@@ -235,6 +235,9 @@ static int security_init(void)
if (*CONFIG_SECURITY_POLICY_PATH)
security_policy_add(default);
+ if (*CONFIG_SECURITY_POLICY_INIT)
+ active_policy = security_policy_get(CONFIG_SECURITY_POLICY_INIT);
+
return 0;
}
pure_initcall(security_init);
--
2.47.3
More information about the barebox
mailing list