[PATCH v3 26/34] smack: move initcalls to the LSM framework

Tue Sep 2 18:08:24 UTC 2025

On 8/14/25 15:50, Paul Moore wrote:
> As the LSM framework only supports one LSM initcall callback for each
> initcall type, the init_smk_fs() and smack_nf_ip_init() functions were
> wrapped with a new function, smack_initcall() that is registered with
> the LSM framework.
> 
> Acked-by: Casey Schaufler <casey at schaufler-ca.com>
> Signed-off-by: Paul Moore <paul at paul-moore.com>

Reviewed-by: John Johansen <john.johansen at canonical.com>

> ---
>   security/smack/smack.h           | 14 ++++++++++++++
>   security/smack/smack_lsm.c       |  9 +++++++++
>   security/smack/smack_netfilter.c |  4 +---
>   security/smack/smackfs.c         |  4 +---
>   4 files changed, 25 insertions(+), 6 deletions(-)
> 
> diff --git a/security/smack/smack.h b/security/smack/smack.h
> index bf6a6ed3946c..c56e1e876f7c 100644
> --- a/security/smack/smack.h
> +++ b/security/smack/smack.h
> @@ -275,6 +275,20 @@ struct smk_audit_info {
>   #endif
>   };
>   
> +/*
> + * Initialization
> + */
> +#if defined(CONFIG_SECURITY_SMACK_NETFILTER)
> +int smack_nf_ip_init(void);
> +#else
> +static inline int smack_nf_ip_init(void)
> +{
> +	return 0;
> +}
> +#endif
> +int init_smk_fs(void);
> +int smack_initcall(void);
> +
>   /*
>    * These functions are in smack_access.c
>    */
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index e09490c75f59..f14d536c516b 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -5270,6 +5270,14 @@ static __init int smack_init(void)
>   	return 0;
>   }
>   
> +int __init smack_initcall(void)
> +{
> +	int rc_fs = init_smk_fs();
> +	int rc_nf = smack_nf_ip_init();
> +
> +	return rc_fs ? rc_fs : rc_nf;
> +}
> +
>   /*
>    * Smack requires early initialization in order to label
>    * all processes and objects when they are created.
> @@ -5279,4 +5287,5 @@ DEFINE_LSM(smack) = {
>   	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
>   	.blobs = &smack_blob_sizes,
>   	.init = smack_init,
> +	.initcall_device = smack_initcall,
>   };
> diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
> index 8fd747b3653a..17ba578b1308 100644
> --- a/security/smack/smack_netfilter.c
> +++ b/security/smack/smack_netfilter.c
> @@ -68,7 +68,7 @@ static struct pernet_operations smack_net_ops = {
>   	.exit = smack_nf_unregister,
>   };
>   
> -static int __init smack_nf_ip_init(void)
> +int __init smack_nf_ip_init(void)
>   {
>   	if (smack_enabled == 0)
>   		return 0;
> @@ -76,5 +76,3 @@ static int __init smack_nf_ip_init(void)
>   	printk(KERN_DEBUG "Smack: Registering netfilter hooks\n");
>   	return register_pernet_subsys(&smack_net_ops);
>   }
> -
> -__initcall(smack_nf_ip_init);
> diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
> index b1e5e62f5cbd..405ace6db109 100644
> --- a/security/smack/smackfs.c
> +++ b/security/smack/smackfs.c
> @@ -2978,7 +2978,7 @@ static struct vfsmount *smackfs_mount;
>    * Returns true if we were not chosen on boot or if
>    * we were chosen and filesystem registration succeeded.
>    */
> -static int __init init_smk_fs(void)
> +int __init init_smk_fs(void)
>   {
>   	int err;
>   	int rc;
> @@ -3021,5 +3021,3 @@ static int __init init_smk_fs(void)
>   
>   	return err;
>   }
> -
> -__initcall(init_smk_fs);