From: Paul Moore <paul@paul-moore.com>
To: linux-security-module@vger.kernel.org,
linux-integrity@vger.kernel.org, selinux@vger.kernel.org
Cc: "John Johansen" <john.johansen@canonical.com>,
"Mimi Zohar" <zohar@linux.ibm.com>,
"Roberto Sassu" <roberto.sassu@huawei.com>,
"Fan Wu" <wufan@kernel.org>, "Mickaël Salaün" <mic@digikod.net>,
"Günther Noack" <gnoack@google.com>,
"Kees Cook" <kees@kernel.org>,
"Micah Morton" <mortonm@chromium.org>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Tetsuo Handa" <penguin-kernel@I-love.SAKURA.ne.jp>,
"Nicolas Bouchinet" <nicolas.bouchinet@oss.cyber.gouv.fr>,
"Xiu Jianfeng" <xiujianfeng@huawei.com>
Subject: [PATCH v4 32/34] selinux: move initcalls to the LSM framework
Date: Tue, 16 Sep 2025 18:03:59 -0400 [thread overview]
Message-ID: <20250916220355.252592-68-paul@paul-moore.com> (raw)
In-Reply-To: <20250916220355.252592-36-paul@paul-moore.com>
SELinux currently has a number of initcalls so we've created a new
function, selinux_initcall(), which wraps all of these initcalls so
that we have a single initcall function that can be registered with the
LSM framework.
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
security/selinux/Makefile | 2 +-
security/selinux/hooks.c | 9 +++--
security/selinux/ibpkey.c | 5 ++-
security/selinux/include/audit.h | 9 +++++
security/selinux/include/initcalls.h | 19 ++++++++++
security/selinux/initcalls.c | 52 ++++++++++++++++++++++++++++
security/selinux/netif.c | 5 ++-
security/selinux/netlink.c | 5 ++-
security/selinux/netnode.c | 5 ++-
security/selinux/netport.c | 5 ++-
security/selinux/selinuxfs.c | 5 ++-
security/selinux/ss/services.c | 26 ++++----------
12 files changed, 107 insertions(+), 40 deletions(-)
create mode 100644 security/selinux/include/initcalls.h
create mode 100644 security/selinux/initcalls.c
diff --git a/security/selinux/Makefile b/security/selinux/Makefile
index 66e56e9011df..72d3baf7900c 100644
--- a/security/selinux/Makefile
+++ b/security/selinux/Makefile
@@ -15,7 +15,7 @@ ccflags-y := -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include
ccflags-$(CONFIG_SECURITY_SELINUX_DEBUG) += -DDEBUG
selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \
- netnode.o netport.o status.o \
+ netnode.o netport.o status.o initcalls.o \
ss/ebitmap.o ss/hashtab.o ss/symtab.o ss/sidtab.o ss/avtab.o \
ss/policydb.o ss/services.o ss/conditional.o ss/mls.o ss/context.o
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d94b1ff316ba..faa78d16e1b9 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -94,6 +94,7 @@
#include <linux/io_uring/cmd.h>
#include <uapi/linux/lsm.h>
+#include "initcalls.h"
#include "avc.h"
#include "objsec.h"
#include "netif.h"
@@ -7603,6 +7604,10 @@ static __init int selinux_init(void)
if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
panic("SELinux: Unable to register AVC LSM notifier callback\n");
+ if (avc_add_callback(selinux_audit_rule_avc_callback,
+ AVC_CALLBACK_RESET))
+ panic("SELinux: Unable to register AVC audit callback\n");
+
if (selinux_enforcing_boot)
pr_debug("SELinux: Starting in enforcing mode\n");
else
@@ -7635,6 +7640,7 @@ DEFINE_LSM(selinux) = {
.enabled = &selinux_enabled_boot,
.blobs = &selinux_blob_sizes,
.init = selinux_init,
+ .initcall_device = selinux_initcall,
};
#if defined(CONFIG_NETFILTER)
@@ -7696,7 +7702,7 @@ static struct pernet_operations selinux_net_ops = {
.exit = selinux_nf_unregister,
};
-static int __init selinux_nf_ip_init(void)
+int __init selinux_nf_ip_init(void)
{
int err;
@@ -7711,5 +7717,4 @@ static int __init selinux_nf_ip_init(void)
return 0;
}
-__initcall(selinux_nf_ip_init);
#endif /* CONFIG_NETFILTER */
diff --git a/security/selinux/ibpkey.c b/security/selinux/ibpkey.c
index 470481cfe0e8..ea1d9b2c7d2b 100644
--- a/security/selinux/ibpkey.c
+++ b/security/selinux/ibpkey.c
@@ -23,6 +23,7 @@
#include <linux/list.h>
#include <linux/spinlock.h>
+#include "initcalls.h"
#include "ibpkey.h"
#include "objsec.h"
@@ -218,7 +219,7 @@ void sel_ib_pkey_flush(void)
spin_unlock_irqrestore(&sel_ib_pkey_lock, flags);
}
-static __init int sel_ib_pkey_init(void)
+int __init sel_ib_pkey_init(void)
{
int iter;
@@ -232,5 +233,3 @@ static __init int sel_ib_pkey_init(void)
return 0;
}
-
-subsys_initcall(sel_ib_pkey_init);
diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h
index d5b0425055e4..85a531ac737b 100644
--- a/security/selinux/include/audit.h
+++ b/security/selinux/include/audit.h
@@ -15,6 +15,15 @@
#include <linux/audit.h>
#include <linux/types.h>
+/**
+ * selinux_audit_rule_avc_callback - update the audit LSM rules on AVC events.
+ * @event: the AVC event
+ *
+ * Update any audit LSM rules based on the AVC event specified in @event.
+ * Returns 0 on success, negative values otherwise.
+ */
+int selinux_audit_rule_avc_callback(u32 event);
+
/**
* selinux_audit_rule_init - alloc/init an selinux audit rule structure.
* @field: the field this rule refers to
diff --git a/security/selinux/include/initcalls.h b/security/selinux/include/initcalls.h
new file mode 100644
index 000000000000..6674cf489473
--- /dev/null
+++ b/security/selinux/include/initcalls.h
@@ -0,0 +1,19 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * SELinux initcalls
+ */
+
+#ifndef _SELINUX_INITCALLS_H
+#define _SELINUX_INITCALLS_H
+
+int init_sel_fs(void);
+int sel_netport_init(void);
+int sel_netnode_init(void);
+int sel_netif_init(void);
+int sel_netlink_init(void);
+int sel_ib_pkey_init(void);
+int selinux_nf_ip_init(void);
+
+int selinux_initcall(void);
+
+#endif
diff --git a/security/selinux/initcalls.c b/security/selinux/initcalls.c
new file mode 100644
index 000000000000..f6716a1d38c1
--- /dev/null
+++ b/security/selinux/initcalls.c
@@ -0,0 +1,52 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * SELinux initcalls
+ */
+
+#include <linux/init.h>
+
+#include "initcalls.h"
+
+/**
+ * selinux_initcall - Perform the SELinux initcalls
+ *
+ * Used as a device initcall in the SELinux LSM definition.
+ */
+int __init selinux_initcall(void)
+{
+ int rc = 0, rc_tmp = 0;
+
+ rc_tmp = init_sel_fs();
+ if (!rc && rc_tmp)
+ rc = rc_tmp;
+
+ rc_tmp = sel_netport_init();
+ if (!rc && rc_tmp)
+ rc = rc_tmp;
+
+ rc_tmp = sel_netnode_init();
+ if (!rc && rc_tmp)
+ rc = rc_tmp;
+
+ rc_tmp = sel_netif_init();
+ if (!rc && rc_tmp)
+ rc = rc_tmp;
+
+ rc_tmp = sel_netlink_init();
+ if (!rc && rc_tmp)
+ rc = rc_tmp;
+
+#if defined(CONFIG_SECURITY_INFINIBAND)
+ rc_tmp = sel_ib_pkey_init();
+ if (!rc && rc_tmp)
+ rc = rc_tmp;
+#endif
+
+#if defined(CONFIG_NETFILTER)
+ rc_tmp = selinux_nf_ip_init();
+ if (!rc && rc_tmp)
+ rc = rc_tmp;
+#endif
+
+ return rc;
+}
diff --git a/security/selinux/netif.c b/security/selinux/netif.c
index 78afbecdbe57..e24b2cba28ea 100644
--- a/security/selinux/netif.c
+++ b/security/selinux/netif.c
@@ -22,6 +22,7 @@
#include <linux/rcupdate.h>
#include <net/net_namespace.h>
+#include "initcalls.h"
#include "security.h"
#include "objsec.h"
#include "netif.h"
@@ -265,7 +266,7 @@ static struct notifier_block sel_netif_netdev_notifier = {
.notifier_call = sel_netif_netdev_notifier_handler,
};
-static __init int sel_netif_init(void)
+int __init sel_netif_init(void)
{
int i;
@@ -280,5 +281,3 @@ static __init int sel_netif_init(void)
return 0;
}
-__initcall(sel_netif_init);
-
diff --git a/security/selinux/netlink.c b/security/selinux/netlink.c
index 1760aee712fd..eb40e4603475 100644
--- a/security/selinux/netlink.c
+++ b/security/selinux/netlink.c
@@ -17,6 +17,7 @@
#include <net/net_namespace.h>
#include <net/netlink.h>
+#include "initcalls.h"
#include "security.h"
static struct sock *selnl __ro_after_init;
@@ -105,7 +106,7 @@ void selnl_notify_policyload(u32 seqno)
selnl_notify(SELNL_MSG_POLICYLOAD, &seqno);
}
-static int __init selnl_init(void)
+int __init sel_netlink_init(void)
{
struct netlink_kernel_cfg cfg = {
.groups = SELNLGRP_MAX,
@@ -117,5 +118,3 @@ static int __init selnl_init(void)
panic("SELinux: Cannot create netlink socket.");
return 0;
}
-
-__initcall(selnl_init);
diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
index 5d0ed08d46e5..9b3da5ce8d39 100644
--- a/security/selinux/netnode.c
+++ b/security/selinux/netnode.c
@@ -30,6 +30,7 @@
#include <net/ip.h>
#include <net/ipv6.h>
+#include "initcalls.h"
#include "netnode.h"
#include "objsec.h"
@@ -290,7 +291,7 @@ void sel_netnode_flush(void)
spin_unlock_bh(&sel_netnode_lock);
}
-static __init int sel_netnode_init(void)
+int __init sel_netnode_init(void)
{
int iter;
@@ -304,5 +305,3 @@ static __init int sel_netnode_init(void)
return 0;
}
-
-__initcall(sel_netnode_init);
diff --git a/security/selinux/netport.c b/security/selinux/netport.c
index 6fd7da4b3576..9e62f7285e81 100644
--- a/security/selinux/netport.c
+++ b/security/selinux/netport.c
@@ -29,6 +29,7 @@
#include <net/ip.h>
#include <net/ipv6.h>
+#include "initcalls.h"
#include "netport.h"
#include "objsec.h"
@@ -218,7 +219,7 @@ void sel_netport_flush(void)
spin_unlock_bh(&sel_netport_lock);
}
-static __init int sel_netport_init(void)
+int __init sel_netport_init(void)
{
int iter;
@@ -232,5 +233,3 @@ static __init int sel_netport_init(void)
return 0;
}
-
-__initcall(sel_netport_init);
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 9aa1d03ab612..657e6ff65be7 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -35,6 +35,7 @@
/* selinuxfs pseudo filesystem for exporting the security policy API.
Based on the proc code and the fs/nfsd/nfsctl.c code. */
+#include "initcalls.h"
#include "flask.h"
#include "avc.h"
#include "avc_ss.h"
@@ -2130,7 +2131,7 @@ static struct file_system_type sel_fs_type = {
struct path selinux_null __ro_after_init;
-static int __init init_sel_fs(void)
+int __init init_sel_fs(void)
{
struct qstr null_name = QSTR_INIT(NULL_FILE_NAME,
sizeof(NULL_FILE_NAME)-1);
@@ -2174,5 +2175,3 @@ static int __init init_sel_fs(void)
return err;
}
-
-__initcall(init_sel_fs);
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 713130bd43c4..13fc712d5923 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -3570,6 +3570,13 @@ struct selinux_audit_rule {
struct context au_ctxt;
};
+int selinux_audit_rule_avc_callback(u32 event)
+{
+ if (event == AVC_CALLBACK_RESET)
+ return audit_update_lsm_rules();
+ return 0;
+}
+
void selinux_audit_rule_free(void *vrule)
{
struct selinux_audit_rule *rule = vrule;
@@ -3820,25 +3827,6 @@ int selinux_audit_rule_match(struct lsm_prop *prop, u32 field, u32 op, void *vru
return match;
}
-static int aurule_avc_callback(u32 event)
-{
- if (event == AVC_CALLBACK_RESET)
- return audit_update_lsm_rules();
- return 0;
-}
-
-static int __init aurule_init(void)
-{
- int err;
-
- err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET);
- if (err)
- panic("avc_add_callback() failed, error %d\n", err);
-
- return err;
-}
-__initcall(aurule_init);
-
#ifdef CONFIG_NETLABEL
/**
* security_netlbl_cache_add - Add an entry to the NetLabel cache
--
2.51.0
next prev parent reply other threads:[~2025-09-16 22:14 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-16 22:03 [PATCH v4 0/34] Rework the LSM initialization Paul Moore
2025-09-16 22:03 ` [PATCH v4 01/34] lsm: split the notifier code out into lsm_notifier.c Paul Moore
2025-09-19 10:44 ` Mimi Zohar
2025-09-16 22:03 ` [PATCH v4 02/34] lsm: split the init code out into lsm_init.c Paul Moore
2025-09-19 10:45 ` Mimi Zohar
2025-09-16 22:03 ` [PATCH v4 03/34] lsm: consolidate lsm_allowed() and prepare_lsm() into lsm_prepare() Paul Moore
2025-09-19 10:45 ` Mimi Zohar
2025-09-16 22:03 ` [PATCH v4 04/34] lsm: introduce looping macros for the initialization code Paul Moore
2025-09-19 10:45 ` Mimi Zohar
2025-09-16 22:03 ` [PATCH v4 05/34] lsm: integrate report_lsm_order() code into caller Paul Moore
2025-09-19 10:45 ` Mimi Zohar
2025-09-16 22:03 ` [PATCH v4 06/34] lsm: integrate lsm_early_cred() and lsm_early_task() " Paul Moore
2025-09-19 10:45 ` Mimi Zohar
2025-09-16 22:03 ` [PATCH v4 07/34] lsm: rename ordered_lsm_init() to lsm_init_ordered() Paul Moore
2025-09-19 10:45 ` Mimi Zohar
2025-09-16 22:03 ` [PATCH v4 08/34] lsm: replace the name field with a pointer to the lsm_id struct Paul Moore
2025-09-19 19:02 ` Mimi Zohar
2025-09-16 22:03 ` [PATCH v4 09/34] lsm: rename the lsm order variables for consistency Paul Moore
2025-09-19 19:02 ` Mimi Zohar
2025-09-16 22:03 ` [PATCH v4 10/34] lsm: rework lsm_active_cnt and lsm_idlist[] Paul Moore
2025-09-19 19:02 ` Mimi Zohar
2025-09-16 22:03 ` [PATCH v4 11/34] lsm: get rid of the lsm_names list and do some cleanup Paul Moore
2025-09-19 19:15 ` Mimi Zohar
2025-09-21 19:23 ` Paul Moore
2025-09-22 10:52 ` Mimi Zohar
2025-09-22 21:52 ` Paul Moore
2025-09-16 22:03 ` [PATCH v4 12/34] lsm: rework the LSM enable/disable setter/getter functions Paul Moore
2025-09-19 19:04 ` Mimi Zohar
2025-09-16 22:03 ` [PATCH v4 13/34] lsm: rename exists_ordered_lsm() to lsm_order_exists() Paul Moore
2025-09-19 19:05 ` Mimi Zohar
2025-09-16 22:03 ` [PATCH v4 14/34] lsm: rename/rework append_ordered_lsm() into lsm_order_append() Paul Moore
2025-09-16 22:03 ` [PATCH v4 15/34] lsm: rename/rework ordered_lsm_parse() to lsm_order_parse() Paul Moore
2025-09-18 11:29 ` Mimi Zohar
2025-09-18 15:38 ` Paul Moore
2025-09-18 15:55 ` Mimi Zohar
2025-09-16 22:03 ` [PATCH v4 16/34] lsm: cleanup the LSM blob size code Paul Moore
2025-09-18 15:14 ` Mimi Zohar
2025-09-16 22:03 ` [PATCH v4 17/34] lsm: cleanup initialize_lsm() and rename to lsm_init_single() Paul Moore
2025-09-18 15:28 ` Mimi Zohar
2025-09-16 22:03 ` [PATCH v4 18/34] lsm: fold lsm_init_ordered() into security_init() Paul Moore
2025-09-16 22:03 ` [PATCH v4 19/34] lsm: add/tweak function header comment blocks in lsm_init.c Paul Moore
2025-09-16 22:03 ` [PATCH v4 20/34] lsm: cleanup the debug and console output " Paul Moore
2025-09-18 15:50 ` Mimi Zohar
2025-09-18 15:54 ` Paul Moore
2025-09-16 22:03 ` [PATCH v4 21/34] lsm: output available LSMs when debugging Paul Moore
2025-09-18 17:11 ` Mimi Zohar
2025-09-16 22:03 ` [PATCH v4 22/34] lsm: group lsm_order_parse() with the other lsm_order_*() functions Paul Moore
2025-09-18 17:22 ` Mimi Zohar
2025-09-16 22:03 ` [PATCH v4 23/34] lsm: introduce an initcall mechanism into the LSM framework Paul Moore
2025-09-18 17:19 ` Mimi Zohar
2025-09-16 22:03 ` [PATCH v4 24/34] loadpin: move initcalls to " Paul Moore
2025-09-18 11:15 ` Mimi Zohar
2025-09-18 15:27 ` Paul Moore
2025-09-16 22:03 ` [PATCH v4 25/34] ipe: " Paul Moore
2025-09-16 22:03 ` [PATCH v4 26/34] smack: " Paul Moore
2025-09-16 22:03 ` [PATCH v4 27/34] tomoyo: " Paul Moore
2025-09-16 22:03 ` [PATCH v4 28/34] safesetid: " Paul Moore
2025-09-16 22:03 ` [PATCH v4 29/34] apparmor: " Paul Moore
2025-09-16 22:03 ` [PATCH v4 30/34] lockdown: " Paul Moore
2025-09-16 22:03 ` [PATCH v4 31/34] ima,evm: " Paul Moore
2025-09-30 20:11 ` Paul Moore
2025-10-01 17:03 ` Mimi Zohar
2025-10-01 17:23 ` Paul Moore
2025-10-10 16:53 ` Mimi Zohar
2025-10-10 19:21 ` Paul Moore
2025-10-10 10:19 ` Mimi Zohar
2025-09-16 22:03 ` Paul Moore [this message]
2025-09-16 22:04 ` [PATCH v4 33/34] lsm: consolidate all of the LSM framework initcalls Paul Moore
2025-09-16 22:04 ` [PATCH v4 34/34] lsm: add a LSM_STARTED_ALL notification event Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250916220355.252592-68-paul@paul-moore.com \
--to=paul@paul-moore.com \
--cc=casey@schaufler-ca.com \
--cc=gnoack@google.com \
--cc=john.johansen@canonical.com \
--cc=kees@kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=mortonm@chromium.org \
--cc=nicolas.bouchinet@oss.cyber.gouv.fr \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=roberto.sassu@huawei.com \
--cc=selinux@vger.kernel.org \
--cc=wufan@kernel.org \
--cc=xiujianfeng@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox