From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qt1-f181.google.com (mail-qt1-f181.google.com [209.85.160.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9517E3294E4 for ; Tue, 16 Sep 2025 22:14:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.181 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758060882; cv=none; b=YzxDllUpAPOsIubXOWyy5/lRwaWK3plrA+VJA1upOxX8i6ZOmblTOAswaSwOf/ysXO+dflrAif0J696TOv/hPAmRvakwCdX9cPtXyH60Z+3KWXbSaOMYgd/CvFK8cRPnqaDxkUsulzy4n++qrf80sILPGtddDsQXsxoiCAXLm3E= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758060882; c=relaxed/simple; bh=fNNvEwHs85RVuiOS+nzWVTaUeDMgvkWveLvQgv9zHYI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=hlmwkH7kYpGT5bSDSSQaFDGIqqiQRkojEMw1kC37HVPNf44wsZK7aMZMv7WuxcfBrPCxQ+DYCImPziZIfGtXMXzjx4LMzE7dNXfvTn0LVA3pgaU+wrpT3iFLpyZtqajUWns4Poey/ReZzbD8QHTcn8zc3xIG7GCOocOtXEcS6JQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com; spf=pass smtp.mailfrom=paul-moore.com; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b=SzJK+l68; arc=none smtp.client-ip=209.85.160.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=paul-moore.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b="SzJK+l68" Received: by mail-qt1-f181.google.com with SMTP id d75a77b69052e-4b5eee40cc0so58896131cf.0 for ; Tue, 16 Sep 2025 15:14:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1758060878; x=1758665678; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=whp0XMVfbFDmLv8zigRcxC92Enieh5uxcCZ41EyZ+AA=; b=SzJK+l68rzofIXp4dbl3PE0ZeBJncc68YaPXxSJODdMoRlR55F36HloJoJsEvq3Flh HWfalHa5NdwdWpULRnuFRdLdwRuJaywjCRrJMsTWZ/4QvF6XvVvQMG7KWypDFt5zTlaJ ZqD20Rf792lqyqKyCx1Qs9JkqxI0B/7Jg3gzHFxfqfd1sjMl98cw79DUu6y5HQ3U3Ayc 8XSOwwXBsoeewRAs0n3I/UAeQRlg5qxxIpyswVkwsK4FydzjaVrx9Ct2aYbpDaAQBtga /PWP+sZtMfcbxT9C2cpU3pxRQSpVjJUmclYzNea8htuaRR+mrX04QYuES8qoxsYDtPke 6iVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758060878; x=1758665678; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=whp0XMVfbFDmLv8zigRcxC92Enieh5uxcCZ41EyZ+AA=; b=buNiC8dBYJbHVJCeTGcqvSvgQU1Vxf+t7FDSIiDk/y0XUX6z0XO3MikBh39dN+Kfku ftgUSwGg+IQg6+Wu4AoNnmBHRQUHMSWd9uCXeq7glKrLcT+vNI/mijkdAnekhxDhhoX3 Gb/RGtSCbQ/mUg9gf2b+By7ATYIcGcgemFDwn3sXcqjwhDb6rnAsqqAuU9H2FaXfCc79 DCHrPSHfRFS7zXCfDtsCSYEcha9Kd+jj6++LX7okSm4VF+iCgP4FF+rkQdX52hiNOfrA 8WxfBftFIYHzDePfumCHyuRtWdD1wS9gN95V8h3jHsdwAgg9hLnnWtJp2jjharODLLS2 /ZhQ== X-Forwarded-Encrypted: i=1; AJvYcCUd8rp5oNGwVw9jECXiju+m5V18mGrEQltAd6/vx9sdUKx51lNn7v5/HJPZxkGRgdo42ImEdk9LkCFuY3WOsBM=@vger.kernel.org X-Gm-Message-State: AOJu0YxSOlx7N2l6jDXJ8pW/gmF4W0wqKxEcyQhBNAxRynJT2M+q7hDl CSkLBRofnqzitiM3TQok1tdV1khNSWZUhP/hxDUwgCw4zatMHlJs79F22o2BAXhyLA== X-Gm-Gg: ASbGncuBxDd7kXU8gfZ1+d+D8iAkEaWCv9vnKcdZNkYO54Y43wY/YRHjLqoau5qGr2/ /7lotI9QLx+gf1VA8VKzkeo9J4O+CcboYXpKO4pcHYrmd7BVneS5WgmC/iZDNJUb96eINyunxFQ 33BoY4/QZsjIQFRnQnVJukmxKjq6GZZBftTOwA3yA6DCUwPkQQO6iWSZlEPabPbUs7QoVgA/aj/ yd3fyff/e015P8VDYU10+zgdx2qaiWOrBJS7TsMyQZV3jJh+numlfzPcXOo66dTHQxktMOR059f FQWv+mUsyGeaIjbUWA3gdYkxp9xkFsDYtCrJChDS+0t1JbEf9PFuVdA1CFTpFZqvy0JsUPD3fFs FzTFqGQH0b+h3JNX2cILSW1PALG4k00YEEQCVD6ATcXkR1QYINm0N2NzYXOiT0IbJjs4JgH0jDO Z5hnc= X-Google-Smtp-Source: AGHT+IFrCCLXPIl2XhNHwJt05eQdcC9L/BNavEGAuckDU/DbnLoVjCdQ+uE80L8wbuDv+mPVg8kd5w== X-Received: by 2002:a05:622a:4a0b:b0:4b5:e6a7:304a with SMTP id d75a77b69052e-4ba66a3351fmr1139721cf.22.1758060878529; Tue, 16 Sep 2025 15:14:38 -0700 (PDT) Received: from localhost (pool-71-126-255-178.bstnma.fios.verizon.net. [71.126.255.178]) by smtp.gmail.com with UTF8SMTPSA id d75a77b69052e-4b639decd84sm90580771cf.50.2025.09.16.15.14.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 16 Sep 2025 15:14:37 -0700 (PDT) From: Paul Moore To: linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, selinux@vger.kernel.org Cc: John Johansen , Mimi Zohar , Roberto Sassu , Fan Wu , =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , =?UTF-8?q?G=C3=BCnther=20Noack?= , Kees Cook , Micah Morton , Casey Schaufler , Tetsuo Handa , Nicolas Bouchinet , Xiu Jianfeng Subject: [PATCH v4 32/34] selinux: move initcalls to the LSM framework Date: Tue, 16 Sep 2025 18:03:59 -0400 Message-ID: <20250916220355.252592-68-paul@paul-moore.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20250916220355.252592-36-paul@paul-moore.com> References: <20250916220355.252592-36-paul@paul-moore.com> Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=10960; i=paul@paul-moore.com; h=from:subject; bh=fNNvEwHs85RVuiOS+nzWVTaUeDMgvkWveLvQgv9zHYI=; b=owEBbQKS/ZANAwAKAeog8tqXN4lzAcsmYgBoyd8y76WUbT4kkNXWY9S8HzUFBYQelS/DyKwYA tUirMFrZXqJAjMEAAEKAB0WIQRLQqjPB/KZ1VSXfu/qIPLalzeJcwUCaMnfMgAKCRDqIPLalzeJ cy7AD/9QayRCUYs1roTuM512SutZ6V+HkHEltajkqhwyzPnBksopvt7ECFOVkqMnNo3GuyY4n7L l6Hxb7mTyj0P410QlyeUfgzVzYh2sg/GAla2MqdwN9BlA0sBulSiavEq0gZ1ISBWaUaY36bNM40 HsMWW6lEXnkWpOSemkzrClcwlQbH3y4pcbPCYEOHUPprjaXQqck6/3dRzN1OF2/gIz3cp1QYQ1V pWIFhwr0nGaZD7tqkFdvB6LLBQohTJoW6mUbHJttwV7chCIrUBUptxKW2PvR9Lh98/HGfVQEsI8 hOjU7vuqhYyqrnocvRgWcx/jlOfndFDzp5tsfRODwRAbLnocFqLndASQYzxgWEhjK58EMmops2r 08wnWW97QnEsxPxH/QzhgaWqoaS9PhUMCMSlaYiCiRpAnr2tEQyHiS80GXFvgOVmeX80SmmcKz6 Y9EmieWPtuMC71V+kyPN9oC9ArWmHdEvsXOijGSxUCbD7zoyuD9y1DYIP6Dgu/x44Ff8g9gmLg1 u1l1iIUUnKnWGLq5fVH3lTVYSmRC0BamaNfCZBaD/mZrefrLA8FRjp2QKzNeuM06DfcER7LTrk6 n32aRPoAVVv4jCPw5PSjrjX7qRwAQW+8PG6a0iBfrG67ZyEhtIoNA3ein9KRx2g5EXQdqq1PrCo 0076K8uniimo6gA== X-Developer-Key: i=paul@paul-moore.com; a=openpgp; fpr=7100AADFAE6E6E940D2E0AD655E45A5AE8CA7C8A Content-Transfer-Encoding: 8bit SELinux currently has a number of initcalls so we've created a new function, selinux_initcall(), which wraps all of these initcalls so that we have a single initcall function that can be registered with the LSM framework. Signed-off-by: Paul Moore --- security/selinux/Makefile | 2 +- security/selinux/hooks.c | 9 +++-- security/selinux/ibpkey.c | 5 ++- security/selinux/include/audit.h | 9 +++++ security/selinux/include/initcalls.h | 19 ++++++++++ security/selinux/initcalls.c | 52 ++++++++++++++++++++++++++++ security/selinux/netif.c | 5 ++- security/selinux/netlink.c | 5 ++- security/selinux/netnode.c | 5 ++- security/selinux/netport.c | 5 ++- security/selinux/selinuxfs.c | 5 ++- security/selinux/ss/services.c | 26 ++++---------- 12 files changed, 107 insertions(+), 40 deletions(-) create mode 100644 security/selinux/include/initcalls.h create mode 100644 security/selinux/initcalls.c diff --git a/security/selinux/Makefile b/security/selinux/Makefile index 66e56e9011df..72d3baf7900c 100644 --- a/security/selinux/Makefile +++ b/security/selinux/Makefile @@ -15,7 +15,7 @@ ccflags-y := -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include ccflags-$(CONFIG_SECURITY_SELINUX_DEBUG) += -DDEBUG selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \ - netnode.o netport.o status.o \ + netnode.o netport.o status.o initcalls.o \ ss/ebitmap.o ss/hashtab.o ss/symtab.o ss/sidtab.o ss/avtab.o \ ss/policydb.o ss/services.o ss/conditional.o ss/mls.o ss/context.o diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index d94b1ff316ba..faa78d16e1b9 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -94,6 +94,7 @@ #include #include +#include "initcalls.h" #include "avc.h" #include "objsec.h" #include "netif.h" @@ -7603,6 +7604,10 @@ static __init int selinux_init(void) if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) panic("SELinux: Unable to register AVC LSM notifier callback\n"); + if (avc_add_callback(selinux_audit_rule_avc_callback, + AVC_CALLBACK_RESET)) + panic("SELinux: Unable to register AVC audit callback\n"); + if (selinux_enforcing_boot) pr_debug("SELinux: Starting in enforcing mode\n"); else @@ -7635,6 +7640,7 @@ DEFINE_LSM(selinux) = { .enabled = &selinux_enabled_boot, .blobs = &selinux_blob_sizes, .init = selinux_init, + .initcall_device = selinux_initcall, }; #if defined(CONFIG_NETFILTER) @@ -7696,7 +7702,7 @@ static struct pernet_operations selinux_net_ops = { .exit = selinux_nf_unregister, }; -static int __init selinux_nf_ip_init(void) +int __init selinux_nf_ip_init(void) { int err; @@ -7711,5 +7717,4 @@ static int __init selinux_nf_ip_init(void) return 0; } -__initcall(selinux_nf_ip_init); #endif /* CONFIG_NETFILTER */ diff --git a/security/selinux/ibpkey.c b/security/selinux/ibpkey.c index 470481cfe0e8..ea1d9b2c7d2b 100644 --- a/security/selinux/ibpkey.c +++ b/security/selinux/ibpkey.c @@ -23,6 +23,7 @@ #include #include +#include "initcalls.h" #include "ibpkey.h" #include "objsec.h" @@ -218,7 +219,7 @@ void sel_ib_pkey_flush(void) spin_unlock_irqrestore(&sel_ib_pkey_lock, flags); } -static __init int sel_ib_pkey_init(void) +int __init sel_ib_pkey_init(void) { int iter; @@ -232,5 +233,3 @@ static __init int sel_ib_pkey_init(void) return 0; } - -subsys_initcall(sel_ib_pkey_init); diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h index d5b0425055e4..85a531ac737b 100644 --- a/security/selinux/include/audit.h +++ b/security/selinux/include/audit.h @@ -15,6 +15,15 @@ #include #include +/** + * selinux_audit_rule_avc_callback - update the audit LSM rules on AVC events. + * @event: the AVC event + * + * Update any audit LSM rules based on the AVC event specified in @event. + * Returns 0 on success, negative values otherwise. + */ +int selinux_audit_rule_avc_callback(u32 event); + /** * selinux_audit_rule_init - alloc/init an selinux audit rule structure. * @field: the field this rule refers to diff --git a/security/selinux/include/initcalls.h b/security/selinux/include/initcalls.h new file mode 100644 index 000000000000..6674cf489473 --- /dev/null +++ b/security/selinux/include/initcalls.h @@ -0,0 +1,19 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * SELinux initcalls + */ + +#ifndef _SELINUX_INITCALLS_H +#define _SELINUX_INITCALLS_H + +int init_sel_fs(void); +int sel_netport_init(void); +int sel_netnode_init(void); +int sel_netif_init(void); +int sel_netlink_init(void); +int sel_ib_pkey_init(void); +int selinux_nf_ip_init(void); + +int selinux_initcall(void); + +#endif diff --git a/security/selinux/initcalls.c b/security/selinux/initcalls.c new file mode 100644 index 000000000000..f6716a1d38c1 --- /dev/null +++ b/security/selinux/initcalls.c @@ -0,0 +1,52 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * SELinux initcalls + */ + +#include + +#include "initcalls.h" + +/** + * selinux_initcall - Perform the SELinux initcalls + * + * Used as a device initcall in the SELinux LSM definition. + */ +int __init selinux_initcall(void) +{ + int rc = 0, rc_tmp = 0; + + rc_tmp = init_sel_fs(); + if (!rc && rc_tmp) + rc = rc_tmp; + + rc_tmp = sel_netport_init(); + if (!rc && rc_tmp) + rc = rc_tmp; + + rc_tmp = sel_netnode_init(); + if (!rc && rc_tmp) + rc = rc_tmp; + + rc_tmp = sel_netif_init(); + if (!rc && rc_tmp) + rc = rc_tmp; + + rc_tmp = sel_netlink_init(); + if (!rc && rc_tmp) + rc = rc_tmp; + +#if defined(CONFIG_SECURITY_INFINIBAND) + rc_tmp = sel_ib_pkey_init(); + if (!rc && rc_tmp) + rc = rc_tmp; +#endif + +#if defined(CONFIG_NETFILTER) + rc_tmp = selinux_nf_ip_init(); + if (!rc && rc_tmp) + rc = rc_tmp; +#endif + + return rc; +} diff --git a/security/selinux/netif.c b/security/selinux/netif.c index 78afbecdbe57..e24b2cba28ea 100644 --- a/security/selinux/netif.c +++ b/security/selinux/netif.c @@ -22,6 +22,7 @@ #include #include +#include "initcalls.h" #include "security.h" #include "objsec.h" #include "netif.h" @@ -265,7 +266,7 @@ static struct notifier_block sel_netif_netdev_notifier = { .notifier_call = sel_netif_netdev_notifier_handler, }; -static __init int sel_netif_init(void) +int __init sel_netif_init(void) { int i; @@ -280,5 +281,3 @@ static __init int sel_netif_init(void) return 0; } -__initcall(sel_netif_init); - diff --git a/security/selinux/netlink.c b/security/selinux/netlink.c index 1760aee712fd..eb40e4603475 100644 --- a/security/selinux/netlink.c +++ b/security/selinux/netlink.c @@ -17,6 +17,7 @@ #include #include +#include "initcalls.h" #include "security.h" static struct sock *selnl __ro_after_init; @@ -105,7 +106,7 @@ void selnl_notify_policyload(u32 seqno) selnl_notify(SELNL_MSG_POLICYLOAD, &seqno); } -static int __init selnl_init(void) +int __init sel_netlink_init(void) { struct netlink_kernel_cfg cfg = { .groups = SELNLGRP_MAX, @@ -117,5 +118,3 @@ static int __init selnl_init(void) panic("SELinux: Cannot create netlink socket."); return 0; } - -__initcall(selnl_init); diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c index 5d0ed08d46e5..9b3da5ce8d39 100644 --- a/security/selinux/netnode.c +++ b/security/selinux/netnode.c @@ -30,6 +30,7 @@ #include #include +#include "initcalls.h" #include "netnode.h" #include "objsec.h" @@ -290,7 +291,7 @@ void sel_netnode_flush(void) spin_unlock_bh(&sel_netnode_lock); } -static __init int sel_netnode_init(void) +int __init sel_netnode_init(void) { int iter; @@ -304,5 +305,3 @@ static __init int sel_netnode_init(void) return 0; } - -__initcall(sel_netnode_init); diff --git a/security/selinux/netport.c b/security/selinux/netport.c index 6fd7da4b3576..9e62f7285e81 100644 --- a/security/selinux/netport.c +++ b/security/selinux/netport.c @@ -29,6 +29,7 @@ #include #include +#include "initcalls.h" #include "netport.h" #include "objsec.h" @@ -218,7 +219,7 @@ void sel_netport_flush(void) spin_unlock_bh(&sel_netport_lock); } -static __init int sel_netport_init(void) +int __init sel_netport_init(void) { int iter; @@ -232,5 +233,3 @@ static __init int sel_netport_init(void) return 0; } - -__initcall(sel_netport_init); diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 9aa1d03ab612..657e6ff65be7 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -35,6 +35,7 @@ /* selinuxfs pseudo filesystem for exporting the security policy API. Based on the proc code and the fs/nfsd/nfsctl.c code. */ +#include "initcalls.h" #include "flask.h" #include "avc.h" #include "avc_ss.h" @@ -2130,7 +2131,7 @@ static struct file_system_type sel_fs_type = { struct path selinux_null __ro_after_init; -static int __init init_sel_fs(void) +int __init init_sel_fs(void) { struct qstr null_name = QSTR_INIT(NULL_FILE_NAME, sizeof(NULL_FILE_NAME)-1); @@ -2174,5 +2175,3 @@ static int __init init_sel_fs(void) return err; } - -__initcall(init_sel_fs); diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 713130bd43c4..13fc712d5923 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -3570,6 +3570,13 @@ struct selinux_audit_rule { struct context au_ctxt; }; +int selinux_audit_rule_avc_callback(u32 event) +{ + if (event == AVC_CALLBACK_RESET) + return audit_update_lsm_rules(); + return 0; +} + void selinux_audit_rule_free(void *vrule) { struct selinux_audit_rule *rule = vrule; @@ -3820,25 +3827,6 @@ int selinux_audit_rule_match(struct lsm_prop *prop, u32 field, u32 op, void *vru return match; } -static int aurule_avc_callback(u32 event) -{ - if (event == AVC_CALLBACK_RESET) - return audit_update_lsm_rules(); - return 0; -} - -static int __init aurule_init(void) -{ - int err; - - err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET); - if (err) - panic("avc_add_callback() failed, error %d\n", err); - - return err; -} -__initcall(aurule_init); - #ifdef CONFIG_NETLABEL /** * security_netlbl_cache_add - Add an entry to the NetLabel cache -- 2.51.0