[RFC PATCH 04/29] lsm: simplify ordered_lsm_init() and rename to lsm_init_ordered()

Wed Apr 9 22:31:18 UTC 2025

On Wed, Apr 9, 2025 at 5:38 PM Kees Cook <kees at kernel.org> wrote:
>
> On Wed, Apr 09, 2025 at 02:49:49PM -0400, Paul Moore wrote:
> > One part of a larger effort to cleanup the LSM framework initialization
> > code.
>
> Again, needs a better commit log.

See my previous comments as well as the cover letter for the reason why.

> > diff --git a/security/lsm_init.c b/security/lsm_init.c
> > index dffa8dc2da36..407429688f1b 100644
> > --- a/security/lsm_init.c
> > +++ b/security/lsm_init.c
> > @@ -32,6 +32,12 @@ static __initdata bool debug;
> >                       pr_info(__VA_ARGS__);                           \
> >       } while (0)
> >
> > +#define lsm_order_for_each(iter)                                     \
> > +     for ((iter) = ordered_lsms; *(iter); (iter)++)
> > +#define lsm_early_for_each_raw(iter)                                 \
> > +     for ((iter) = __start_early_lsm_info;                           \
> > +          (iter) < __end_early_lsm_info; (iter)++)
>
> The longer I look at this patch the longer I think it needs to be broken
> up into a few separate patches, but they would be relatively small, like
> this one: replace iter loops with iter macros.

Fair point, done.

> > @@ -340,10 +304,23 @@ static void __init ordered_lsm_init(void)
> >       } else
> >               ordered_lsm_parse(builtin_lsm_order, "builtin");
> >
> > -     for (lsm = ordered_lsms; *lsm; lsm++)
> > +     lsm_order_for_each(lsm) {
> >               lsm_prep_single(*lsm);
> > +     }
> >
> > -     report_lsm_order();
> > +     pr_info("initializing lsm=");
> > +     lsm_early_for_each_raw(early) {
> > +             if (is_enabled(early))
> > +                     pr_cont("%s%s",
> > +                             early == __start_early_lsm_info ? "" : ",",
> > +                             early->name);
> > +     }
> > +     lsm_order_for_each(lsm) {
> > +             if (is_enabled(*lsm))
> > +                     pr_cont("%s%s",
> > +                             lsm == ordered_lsms ? "" : ",", (*lsm)->name);
> > +     }
>
> report_lsm_order()'s use of "first" needs to stay here or you don't get
> the right comma/no-comma behavior. It's not about the lsm, it's about
> whether "first" got incremented. Perhaps "count" might be a better name
> for "first".

Sure, I'll just put the "first" code back, it all gets changed later
in the patchset anyway, no need to worry about long term stuff in this
snippet.

-- 
paul-moore.com