[RFC PATCH 20/29] smack: move initcalls to the LSM framework

Mon Apr 14 21:04:07 UTC 2025

On Wed, Apr 9, 2025 at 11:53 AM Paul Moore <paul at paul-moore.com> wrote:
>
> As the LSM framework only supports one LSM initcall callback for each
> initcall type, the init_smk_fs() and smack_nf_ip_init() functions were
> wrapped with a new function, smack_initcall() that is registered with
> the LSM framework.
>
> Signed-off-by: Paul Moore <paul at paul-moore.com>
> ---
>  security/smack/smack.h           |  6 ++++++
>  security/smack/smack_lsm.c       | 16 ++++++++++++++++
>  security/smack/smack_netfilter.c |  4 +---
>  security/smack/smackfs.c         |  4 +---
>  4 files changed, 24 insertions(+), 6 deletions(-)
>
> diff --git a/security/smack/smack.h b/security/smack/smack.h
> index bf6a6ed3946c..709e0d6cd5e1 100644
> --- a/security/smack/smack.h
> +++ b/security/smack/smack.h
> @@ -275,6 +275,12 @@ struct smk_audit_info {
>  #endif
>  };
>
> +/*
> + * Initialization
> + */
> +int init_smk_fs(void);
> +int smack_nf_ip_init(void);
> +
>  /*
>   * These functions are in smack_access.c
>   */
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index e09b33fed5f0..80b129a0c92c 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -5277,6 +5277,21 @@ static __init int smack_init(void)
>         return 0;
>  }
>
> +static int smack_initcall(void)
> +{
> +       int rc, rc_tmp;
> +
> +       rc_tmp = init_smk_fs();
> +       if (rc_tmp)
> +               rc = rc_tmp;
> +
> +       rc_tmp = smack_nf_ip_init();
> +       if (!rc && rc_tmp)
> +               rc = rc_tmp;
> +
> +       return rc;
> +}
> +
>  /*
>   * Smack requires early initialization in order to label
>   * all processes and objects when they are created.
> @@ -5286,4 +5301,5 @@ DEFINE_LSM(smack) = {
>         .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
>         .blobs = &smack_blob_sizes,
>         .init = smack_init,
> +       .initcall_device = smack_initcall,
>  };
> diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
> index 8fd747b3653a..17ba578b1308 100644
> --- a/security/smack/smack_netfilter.c
> +++ b/security/smack/smack_netfilter.c
> @@ -68,7 +68,7 @@ static struct pernet_operations smack_net_ops = {
>         .exit = smack_nf_unregister,
>  };
>
> -static int __init smack_nf_ip_init(void)
> +int __init smack_nf_ip_init(void)
>  {
>         if (smack_enabled == 0)
>                 return 0;
> @@ -76,5 +76,3 @@ static int __init smack_nf_ip_init(void)
>         printk(KERN_DEBUG "Smack: Registering netfilter hooks\n");
>         return register_pernet_subsys(&smack_net_ops);
>  }
> -
> -__initcall(smack_nf_ip_init);
> diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
> index 90a67e410808..d33dd0368807 100644
> --- a/security/smack/smackfs.c
> +++ b/security/smack/smackfs.c
> @@ -2980,7 +2980,7 @@ static struct vfsmount *smackfs_mount;
>   * Returns true if we were not chosen on boot or if
>   * we were chosen and filesystem registration succeeded.
>   */
> -static int __init init_smk_fs(void)
> +int __init init_smk_fs(void)
>  {
>         int err;
>         int rc;
> @@ -3023,5 +3023,3 @@ static int __init init_smk_fs(void)
>
>         return err;
>  }
> -
> -__initcall(init_smk_fs);
> --
> 2.49.0
>

I'm getting the following WARNING:

WARNING: modpost: vmlinux: section mismatch in reference:
smack_initcall+0xb (section: .text) -> init_smk_fs (section:
.init.text)
WARNING: modpost: vmlinux: section mismatch in reference:
smack_initcall+0x16 (section: .text) -> smack_nf_ip_init (section:
.init.text)
WARNING: modpost: vmlinux: section mismatch in reference:
smack_initcall+0x27 (section: .text) -> smack_nf_ip_init (section:
.init.text)

I guess "__init" is missed for smack_initcall?

-Fan