[RFC PATCH 27/29] lsm: consolidate all of the LSM framework initcalls

John Johansen john.johansen at canonical.com
Wed May 14 13:38:09 UTC 2025


On 4/9/25 11:50, Paul Moore wrote:
> The LSM framework itself registers a small number of initcalls, this
> patch converts these initcalls into the new initcall mechanism.
> 
> Signed-off-by: Paul Moore <paul at paul-moore.com>

Reviewed-by: John Johansen <john.johansen at canonical.com>

> ---
>   security/inode.c    |  3 +--
>   security/lsm.h      |  4 ++++
>   security/lsm_init.c | 14 ++++++++++++--
>   security/min_addr.c |  5 +++--
>   4 files changed, 20 insertions(+), 6 deletions(-)
> 
> diff --git a/security/inode.c b/security/inode.c
> index f687e22e6809..671c66c147bc 100644
> --- a/security/inode.c
> +++ b/security/inode.c
> @@ -375,7 +375,7 @@ static const struct file_operations lsm_ops = {
>   };
>   #endif
>   
> -static int __init securityfs_init(void)
> +int __init securityfs_init(void)
>   {
>   	int retval;
>   
> @@ -394,4 +394,3 @@ static int __init securityfs_init(void)
>   #endif
>   	return 0;
>   }
> -core_initcall(securityfs_init);
> diff --git a/security/lsm.h b/security/lsm.h
> index 8ecb66896646..c432dc0c5e30 100644
> --- a/security/lsm.h
> +++ b/security/lsm.h
> @@ -35,4 +35,8 @@ extern struct kmem_cache *lsm_inode_cache;
>   int lsm_cred_alloc(struct cred *cred, gfp_t gfp);
>   int lsm_task_alloc(struct task_struct *task);
>   
> +/* LSM framework initializers */
> +int securityfs_init(void);
> +int min_addr_init(void);
> +
>   #endif /* _LSM_H_ */
> diff --git a/security/lsm_init.c b/security/lsm_init.c
> index 75eb0cc82869..c0881407ca3f 100644
> --- a/security/lsm_init.c
> +++ b/security/lsm_init.c
> @@ -485,7 +485,12 @@ int __init security_init(void)
>    */
>   static int __init security_initcall_pure(void)
>   {
> -	return lsm_initcall(pure);
> +	int rc_adr, rc_lsm;
> +
> +	rc_adr = min_addr_init();
> +	rc_lsm = lsm_initcall(pure);
> +
> +	return (rc_adr ? rc_adr : rc_lsm);
>   }
>   pure_initcall(security_initcall_pure);
>   
> @@ -503,7 +508,12 @@ early_initcall(security_initcall_early);
>    */
>   static int __init security_initcall_core(void)
>   {
> -	return lsm_initcall(core);
> +	int rc_sfs, rc_lsm;
> +
> +	rc_sfs = securityfs_init();
> +	rc_lsm = lsm_initcall(core);
> +
> +	return (rc_sfs ? rc_sfs : rc_lsm);
>   }
>   core_initcall(security_initcall_core);
>   
> diff --git a/security/min_addr.c b/security/min_addr.c
> index df1bc643d886..40714bdeefbe 100644
> --- a/security/min_addr.c
> +++ b/security/min_addr.c
> @@ -4,6 +4,8 @@
>   #include <linux/security.h>
>   #include <linux/sysctl.h>
>   
> +#include "lsm.h"
> +
>   /* amount of vm to protect from userspace access by both DAC and the LSM*/
>   unsigned long mmap_min_addr;
>   /* amount of vm to protect from userspace using CAP_SYS_RAWIO (DAC) */
> @@ -54,11 +56,10 @@ static const struct ctl_table min_addr_sysctl_table[] = {
>   	},
>   };
>   
> -static int __init init_mmap_min_addr(void)
> +int __init min_addr_init(void)
>   {
>   	register_sysctl_init("vm", min_addr_sysctl_table);
>   	update_mmap_min_addr();
>   
>   	return 0;
>   }
> -pure_initcall(init_mmap_min_addr);




More information about the Linux-security-module-archive mailing list