From: Kees Cook <kees@kernel.org>
To: Paul Moore <paul@paul-moore.com>
Cc: linux-security-module@vger.kernel.org,
linux-integrity@vger.kernel.org, selinux@vger.kernel.org,
"John Johansen" <john.johansen@canonical.com>,
"Mimi Zohar" <zohar@linux.ibm.com>,
"Roberto Sassu" <roberto.sassu@huawei.com>,
"Fan Wu" <wufan@kernel.org>, "Mickaël Salaün" <mic@digikod.net>,
"Günther Noack" <gnoack@google.com>,
"Micah Morton" <mortonm@chromium.org>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Tetsuo Handa" <penguin-kernel@i-love.sakura.ne.jp>
Subject: Re: [RFC PATCH 20/29] smack: move initcalls to the LSM framework
Date: Wed, 9 Apr 2025 16:42:43 -0700 [thread overview]
Message-ID: <202504091641.738FECED@keescook> (raw)
In-Reply-To: <20250409185019.238841-51-paul@paul-moore.com>
On Wed, Apr 09, 2025 at 02:50:05PM -0400, Paul Moore wrote:
> As the LSM framework only supports one LSM initcall callback for each
> initcall type, the init_smk_fs() and smack_nf_ip_init() functions were
> wrapped with a new function, smack_initcall() that is registered with
> the LSM framework.
>
> Signed-off-by: Paul Moore <paul@paul-moore.com>
> ---
> security/smack/smack.h | 6 ++++++
> security/smack/smack_lsm.c | 16 ++++++++++++++++
> security/smack/smack_netfilter.c | 4 +---
> security/smack/smackfs.c | 4 +---
> 4 files changed, 24 insertions(+), 6 deletions(-)
>
> diff --git a/security/smack/smack.h b/security/smack/smack.h
> index bf6a6ed3946c..709e0d6cd5e1 100644
> --- a/security/smack/smack.h
> +++ b/security/smack/smack.h
> @@ -275,6 +275,12 @@ struct smk_audit_info {
> #endif
> };
>
> +/*
> + * Initialization
> + */
> +int init_smk_fs(void);
> +int smack_nf_ip_init(void);
> +
> /*
> * These functions are in smack_access.c
> */
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index e09b33fed5f0..80b129a0c92c 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -5277,6 +5277,21 @@ static __init int smack_init(void)
> return 0;
> }
>
> +static int smack_initcall(void)
> +{
> + int rc, rc_tmp;
> +
> + rc_tmp = init_smk_fs();
> + if (rc_tmp)
> + rc = rc_tmp;
> +
> + rc_tmp = smack_nf_ip_init();
> + if (!rc && rc_tmp)
> + rc = rc_tmp;
> +
> + return rc;
> +}
This retains the existing behavior, but I think it'd be better to
evaluate if the init_smk_fs() call can be tied to the fs init hook
instead, yes? Then no new helper is needed, etc.
-Kees
> +
> /*
> * Smack requires early initialization in order to label
> * all processes and objects when they are created.
> @@ -5286,4 +5301,5 @@ DEFINE_LSM(smack) = {
> .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
> .blobs = &smack_blob_sizes,
> .init = smack_init,
> + .initcall_device = smack_initcall,
> };
> diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
> index 8fd747b3653a..17ba578b1308 100644
> --- a/security/smack/smack_netfilter.c
> +++ b/security/smack/smack_netfilter.c
> @@ -68,7 +68,7 @@ static struct pernet_operations smack_net_ops = {
> .exit = smack_nf_unregister,
> };
>
> -static int __init smack_nf_ip_init(void)
> +int __init smack_nf_ip_init(void)
> {
> if (smack_enabled == 0)
> return 0;
> @@ -76,5 +76,3 @@ static int __init smack_nf_ip_init(void)
> printk(KERN_DEBUG "Smack: Registering netfilter hooks\n");
> return register_pernet_subsys(&smack_net_ops);
> }
> -
> -__initcall(smack_nf_ip_init);
> diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
> index 90a67e410808..d33dd0368807 100644
> --- a/security/smack/smackfs.c
> +++ b/security/smack/smackfs.c
> @@ -2980,7 +2980,7 @@ static struct vfsmount *smackfs_mount;
> * Returns true if we were not chosen on boot or if
> * we were chosen and filesystem registration succeeded.
> */
> -static int __init init_smk_fs(void)
> +int __init init_smk_fs(void)
> {
> int err;
> int rc;
> @@ -3023,5 +3023,3 @@ static int __init init_smk_fs(void)
>
> return err;
> }
> -
> -__initcall(init_smk_fs);
> --
> 2.49.0
>
--
Kees Cook
next prev parent reply other threads:[~2025-04-09 23:42 UTC|newest]
Thread overview: 126+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-09 18:49 [RFC PATCH 0/29] Rework the LSM initialization Paul Moore
2025-04-09 18:49 ` [RFC PATCH 01/29] lsm: split the notifier code out into lsm_notifier.c Paul Moore
2025-04-09 21:17 ` Kees Cook
2025-04-15 12:14 ` John Johansen
2025-04-09 18:49 ` [RFC PATCH 02/29] lsm: split the init code out into lsm_init.c Paul Moore
2025-04-09 21:18 ` Kees Cook
2025-04-15 22:01 ` John Johansen
2025-04-09 18:49 ` [RFC PATCH 03/29] lsm: simplify prepare_lsm() and rename to lsm_prep_single() Paul Moore
2025-04-09 21:30 ` Kees Cook
2025-04-09 21:54 ` Paul Moore
2025-04-15 22:10 ` John Johansen
2025-04-09 18:49 ` [RFC PATCH 04/29] lsm: simplify ordered_lsm_init() and rename to lsm_init_ordered() Paul Moore
2025-04-09 21:38 ` Kees Cook
2025-04-09 22:31 ` Paul Moore
2025-04-09 18:49 ` [RFC PATCH 05/29] lsm: replace the name field with a pointer to the lsm_id struct Paul Moore
2025-04-09 21:40 ` Kees Cook
2025-04-15 22:20 ` John Johansen
2025-04-09 18:49 ` [RFC PATCH 06/29] lsm: cleanup and normalize the LSM order symbols naming Paul Moore
2025-04-09 23:00 ` Kees Cook
2025-04-15 22:23 ` John Johansen
2025-04-09 18:49 ` [RFC PATCH 07/29] lsm: rework lsm_active_cnt and lsm_idlist[] Paul Moore
2025-04-09 21:38 ` Casey Schaufler
2025-04-10 21:58 ` Paul Moore
2025-04-09 23:06 ` Kees Cook
2025-04-10 22:04 ` Paul Moore
2025-04-10 22:25 ` Kees Cook
2025-04-11 0:58 ` Casey Schaufler
2025-04-09 18:49 ` [RFC PATCH 08/29] lsm: get rid of the lsm_names list and do some cleanup Paul Moore
2025-04-09 23:13 ` Kees Cook
2025-04-10 22:47 ` Paul Moore
2025-04-11 2:15 ` Kees Cook
2025-04-11 3:14 ` Paul Moore
2025-04-15 22:30 ` John Johansen
2025-05-22 21:26 ` Casey Schaufler
2025-04-09 18:49 ` [RFC PATCH 09/29] lsm: cleanup and normalize the LSM enabled functions Paul Moore
2025-04-10 0:11 ` Kees Cook
2025-04-11 1:50 ` Paul Moore
2025-04-11 2:03 ` Paul Moore
2025-04-11 2:14 ` Paul Moore
2025-04-11 2:17 ` Kees Cook
2025-04-09 18:49 ` [RFC PATCH 10/29] lsm: cleanup the LSM blob size code Paul Moore
2025-04-09 23:29 ` Kees Cook
2025-04-15 23:02 ` John Johansen
2025-04-19 2:42 ` Fan Wu
2025-04-19 5:53 ` Kees Cook
2025-04-19 15:58 ` Fan Wu
2025-04-09 18:49 ` [RFC PATCH 11/29] lsm: cleanup initialize_lsm() and rename to lsm_init_single() Paul Moore
2025-04-09 23:30 ` Kees Cook
2025-04-15 23:04 ` John Johansen
2025-04-09 18:49 ` [RFC PATCH 12/29] lsm: cleanup the LSM ordered parsing Paul Moore
2025-04-09 18:49 ` [RFC PATCH 13/29] lsm: fold lsm_init_ordered() into security_init() Paul Moore
2025-04-09 18:49 ` [RFC PATCH 14/29] lsm: add missing function header comment blocks in lsm_init.c Paul Moore
2025-05-14 10:10 ` John Johansen
2025-04-09 18:50 ` [RFC PATCH 15/29] lsm: cleanup the debug and console output " Paul Moore
2025-04-09 18:50 ` [RFC PATCH 16/29] lsm: output available LSMs when debugging Paul Moore
2025-05-14 12:01 ` John Johansen
2025-04-09 18:50 ` [RFC PATCH 17/29] lsm: introduce an initcall mechanism into the LSM framework Paul Moore
2025-04-09 21:16 ` Kees Cook
2025-04-10 20:52 ` Paul Moore
2025-05-14 11:59 ` John Johansen
2025-04-09 18:50 ` [RFC PATCH 18/29] loadpin: move initcalls to " Paul Moore
2025-04-09 23:39 ` Kees Cook
2025-04-11 1:15 ` Paul Moore
2025-04-11 2:16 ` Kees Cook
2025-04-11 2:41 ` Paul Moore
2025-05-14 11:57 ` John Johansen
2025-04-09 18:50 ` [RFC PATCH 19/29] ipe: " Paul Moore
2025-04-09 23:40 ` Kees Cook
2025-04-14 21:19 ` Fan Wu
2025-04-15 1:58 ` Paul Moore
2025-05-14 12:02 ` John Johansen
2025-04-09 18:50 ` [RFC PATCH 20/29] smack: " Paul Moore
2025-04-09 23:42 ` Kees Cook [this message]
2025-04-11 2:30 ` Paul Moore
2025-04-10 17:30 ` Casey Schaufler
2025-04-10 17:47 ` Casey Schaufler
2025-04-11 20:09 ` Paul Moore
2025-04-14 21:04 ` Fan Wu
2025-04-15 1:54 ` Paul Moore
2025-04-09 18:50 ` [RFC PATCH 21/29] tomoyo: " Paul Moore
2025-04-09 23:43 ` Kees Cook
2025-05-14 12:05 ` John Johansen
2025-04-09 18:50 ` [RFC PATCH 22/29] safesetid: " Paul Moore
2025-04-09 23:43 ` Kees Cook
2025-04-11 19:20 ` Micah Morton
2025-04-11 20:45 ` Paul Moore
2025-05-14 12:18 ` John Johansen
2025-04-09 18:50 ` [RFC PATCH 23/29] apparmor: " Paul Moore
2025-04-09 23:44 ` Kees Cook
2025-05-14 13:33 ` John Johansen
2025-04-09 18:50 ` [RFC PATCH 24/29] lockdown: " Paul Moore
2025-04-09 23:44 ` Kees Cook
2025-05-14 13:31 ` John Johansen
2025-04-09 18:50 ` [RFC PATCH 25/29] ima,evm: " Paul Moore
2025-05-14 13:06 ` John Johansen
2025-06-11 20:09 ` Paul Moore
2025-05-30 22:03 ` Mimi Zohar
2025-06-11 20:27 ` Paul Moore
2025-06-13 20:34 ` Mimi Zohar
2025-07-21 21:59 ` Paul Moore
2025-04-09 18:50 ` [RFC PATCH 26/29] selinux: " Paul Moore
2025-04-10 16:33 ` Stephen Smalley
2025-04-11 3:24 ` Paul Moore
2025-05-23 15:12 ` Casey Schaufler
2025-04-09 18:50 ` [RFC PATCH 27/29] lsm: consolidate all of the LSM framework initcalls Paul Moore
2025-04-09 23:52 ` Kees Cook
2025-04-11 1:21 ` Paul Moore
2025-04-11 2:16 ` Kees Cook
2025-05-14 13:38 ` John Johansen
2025-04-09 18:50 ` [RFC PATCH 28/29] lsm: add a LSM_STARTED_ALL notification event Paul Moore
2025-04-09 23:53 ` Kees Cook
2025-05-14 13:34 ` John Johansen
2025-04-09 18:50 ` [RFC PATCH 29/29] lsm: add support for counting lsm_prop support among LSMs Paul Moore
2025-05-13 16:39 ` Casey Schaufler
2025-05-13 20:23 ` Paul Moore
2025-05-14 19:30 ` Casey Schaufler
2025-05-14 20:57 ` Paul Moore
2025-05-14 21:16 ` Casey Schaufler
2025-05-14 22:11 ` Paul Moore
2025-05-15 14:12 ` Casey Schaufler
2025-05-15 18:13 ` Paul Moore
2025-05-15 19:41 ` Casey Schaufler
2025-05-15 21:02 ` Paul Moore
2025-04-10 14:13 ` [RFC PATCH 0/29] Rework the LSM initialization Casey Schaufler
2025-04-10 16:31 ` Kees Cook
2025-04-11 2:28 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202504091641.738FECED@keescook \
--to=kees@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=gnoack@google.com \
--cc=john.johansen@canonical.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=mortonm@chromium.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=roberto.sassu@huawei.com \
--cc=selinux@vger.kernel.org \
--cc=wufan@kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.