[RFC PATCH 20/29] smack: move initcalls to the LSM framework
Paul Moore
paul at paul-moore.com
Wed Apr 9 18:50:05 UTC 2025
As the LSM framework only supports one LSM initcall callback for each
initcall type, the init_smk_fs() and smack_nf_ip_init() functions were
wrapped with a new function, smack_initcall() that is registered with
the LSM framework.
Signed-off-by: Paul Moore <paul at paul-moore.com>
---
security/smack/smack.h | 6 ++++++
security/smack/smack_lsm.c | 16 ++++++++++++++++
security/smack/smack_netfilter.c | 4 +---
security/smack/smackfs.c | 4 +---
4 files changed, 24 insertions(+), 6 deletions(-)
diff --git a/security/smack/smack.h b/security/smack/smack.h
index bf6a6ed3946c..709e0d6cd5e1 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -275,6 +275,12 @@ struct smk_audit_info {
#endif
};
+/*
+ * Initialization
+ */
+int init_smk_fs(void);
+int smack_nf_ip_init(void);
+
/*
* These functions are in smack_access.c
*/
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index e09b33fed5f0..80b129a0c92c 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -5277,6 +5277,21 @@ static __init int smack_init(void)
return 0;
}
+static int smack_initcall(void)
+{
+ int rc, rc_tmp;
+
+ rc_tmp = init_smk_fs();
+ if (rc_tmp)
+ rc = rc_tmp;
+
+ rc_tmp = smack_nf_ip_init();
+ if (!rc && rc_tmp)
+ rc = rc_tmp;
+
+ return rc;
+}
+
/*
* Smack requires early initialization in order to label
* all processes and objects when they are created.
@@ -5286,4 +5301,5 @@ DEFINE_LSM(smack) = {
.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
.blobs = &smack_blob_sizes,
.init = smack_init,
+ .initcall_device = smack_initcall,
};
diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
index 8fd747b3653a..17ba578b1308 100644
--- a/security/smack/smack_netfilter.c
+++ b/security/smack/smack_netfilter.c
@@ -68,7 +68,7 @@ static struct pernet_operations smack_net_ops = {
.exit = smack_nf_unregister,
};
-static int __init smack_nf_ip_init(void)
+int __init smack_nf_ip_init(void)
{
if (smack_enabled == 0)
return 0;
@@ -76,5 +76,3 @@ static int __init smack_nf_ip_init(void)
printk(KERN_DEBUG "Smack: Registering netfilter hooks\n");
return register_pernet_subsys(&smack_net_ops);
}
-
-__initcall(smack_nf_ip_init);
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 90a67e410808..d33dd0368807 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -2980,7 +2980,7 @@ static struct vfsmount *smackfs_mount;
* Returns true if we were not chosen on boot or if
* we were chosen and filesystem registration succeeded.
*/
-static int __init init_smk_fs(void)
+int __init init_smk_fs(void)
{
int err;
int rc;
@@ -3023,5 +3023,3 @@ static int __init init_smk_fs(void)
return err;
}
-
-__initcall(init_smk_fs);
--
2.49.0
More information about the Linux-security-module-archive
mailing list