[PATCH v5 3/7] security: policy: remove global active_policy var
Ahmad Fatoum
a.fatoum at pengutronix.de
Fri Mar 20 00:29:45 PDT 2026
On 3/20/26 08:17, Fabian Pflug wrote:
> Replace with a getter function called security_policy_get_active(), that
> automatically initializes the active_policy, if an initial policy is
> set.
>
> Signed-off-by: Fabian Pflug <f.pflug at pengutronix.de>
With below point addressed:
Reviewed-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
> @@ -25,9 +25,8 @@
> #define POLICY_TAMPER "tamper"
> #define POLICY_FIELD_RETURN "return"
>
> -extern const struct security_policy *active_policy;
The definition should be made static then.
> -
> const struct security_policy *security_policy_get(const char *name);
> +const struct security_policy *security_policy_get_active(void);
>
> int security_policy_activate(const struct security_policy *policy);
> int security_policy_select(const char *name);
> diff --git a/security/Kconfig.policy b/security/Kconfig.policy
> index 9ea52e91da..e778327b0d 100644
> --- a/security/Kconfig.policy
> +++ b/security/Kconfig.policy
> @@ -49,7 +49,8 @@ config SECURITY_POLICY_INIT
> prompt "Initial security policy"
> help
> The policy named here will be automatically selected the first
> - time a security policy is to be consulted.
> + time a security policy is to be consulted or the currently active
> + policy is queried.
> It's recommended to use a restrictive policy here and remove
> the restrictions if needed instead of the other way round.
>
> diff --git a/security/policy.c b/security/policy.c
> index 95e7bf99a2..fce527df67 100644
> --- a/security/policy.c
> +++ b/security/policy.c
> @@ -60,15 +60,12 @@ static bool __is_allowed(const struct security_policy *policy, unsigned option)
>
> bool is_allowed(const struct security_policy *policy, unsigned option)
> {
> - policy = policy ?: active_policy;
> -
> if (WARN(option > SCONFIG_NUM))
> return false;
>
> - if (!policy && *CONFIG_SECURITY_POLICY_INIT) {
> - security_policy_select(CONFIG_SECURITY_POLICY_INIT);
> - policy = active_policy;
> - }
> + /* initialize and use active policy if none is selected */
> + if (!policy)
> + policy = security_policy_get_active();
>
> if (policy) {
> bool allow = __is_allowed(policy, option);
> @@ -108,6 +105,13 @@ int security_policy_activate(const struct security_policy *policy)
> return 0;
> }
>
> +const struct security_policy *security_policy_get_active(void)
> +{
> + if (!active_policy && *CONFIG_SECURITY_POLICY_INIT)
> + security_policy_select(CONFIG_SECURITY_POLICY_INIT);
> + return active_policy;
> +}
> +
> const struct security_policy *security_policy_get(const char *name)
> {
> const struct policy_list_entry *entry;
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
More information about the barebox
mailing list