[PATCH v3 18/34] lsm: fold lsm_init_ordered() into security_init()

John Johansen john.johansen at canonical.com
Wed Sep 3 08:47:28 UTC 2025 

On 8/14/25 15:50, Paul Moore wrote:
> With only security_init() calling lsm_init_ordered, it makes little
> sense to keep lsm_init_ordered() as a standalone function.  Fold
> lsm_init_ordered() into security_init().
> 
> Reviewed-by: Casey Schaufler <casey at schaufler-ca.com>
> Signed-off-by: Paul Moore <paul at paul-moore.com>

Reviewed-by: John Johansen <john.johansen at canonical.com>

> ---
>   security/lsm_init.c | 159 ++++++++++++++++++++------------------------
>   1 file changed, 73 insertions(+), 86 deletions(-)
> 
> diff --git a/security/lsm_init.c b/security/lsm_init.c
> index 1f64222925c1..f87f5441617b 100644
> --- a/security/lsm_init.c
> +++ b/security/lsm_init.c
> @@ -18,6 +18,9 @@ static __initdata int lsm_enabled_false = 0;
>   extern struct lsm_info __start_lsm_info[], __end_lsm_info[];
>   extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[];
>   
> +/* Number of "early" LSMs */
> +static __initdata unsigned int lsm_count_early;
> +
>   /* Build and boot-time LSM ordering. */
>   static __initconst const char *const lsm_order_builtin = CONFIG_LSM;
>   static __initdata const char *lsm_order_cmdline;
> @@ -169,7 +172,6 @@ static void __init lsm_order_append(struct lsm_info *lsm, const char *src)
>   		   lsm_is_enabled(lsm) ? "enabled" : "disabled");
>   }
>   
> -
>   /**
>    * lsm_blob_size_update - Update the LSM blob size and offset information
>    * @sz_req: the requested additional blob size
> @@ -313,14 +315,74 @@ static void __init lsm_order_parse(const char *list, const char *src)
>   	}
>   }
>   
> -/**
> - * lsm_init_ordered - Initialize the ordered LSMs
> - */
> -static void __init lsm_init_ordered(void)
> +static void __init lsm_static_call_init(struct security_hook_list *hl)
>   {
> -	unsigned int first = 0;
> +	struct lsm_static_call *scall = hl->scalls;
> +	int i;
> +
> +	for (i = 0; i < MAX_LSM_COUNT; i++) {
> +		/* Update the first static call that is not used yet */
> +		if (!scall->hl) {
> +			__static_call_update(scall->key, scall->trampoline,
> +					     hl->hook.lsm_func_addr);
> +			scall->hl = hl;
> +			static_branch_enable(scall->active);
> +			return;
> +		}
> +		scall++;
> +	}
> +	panic("%s - Ran out of static slots.\n", __func__);
> +}
> +
> +/**
> + * security_add_hooks - Add a modules hooks to the hook lists.
> + * @hooks: the hooks to add
> + * @count: the number of hooks to add
> + * @lsmid: the identification information for the security module
> + *
> + * Each LSM has to register its hooks with the infrastructure.
> + */
> +void __init security_add_hooks(struct security_hook_list *hooks, int count,
> +			       const struct lsm_id *lsmid)
> +{
> +	int i;
> +
> +	for (i = 0; i < count; i++) {
> +		hooks[i].lsmid = lsmid;
> +		lsm_static_call_init(&hooks[i]);
> +	}
> +}
> +
> +int __init early_security_init(void)
> +{
> +	struct lsm_info *lsm;
> +
> +	lsm_early_for_each_raw(lsm) {
> +		lsm_enabled_set(lsm, true);
> +		lsm_order_append(lsm, "early");
> +		lsm_prepare(lsm);
> +		lsm_init_single(lsm);
> +		lsm_count_early++;
> +	}
> +
> +	return 0;
> +}
> +
> +/**
> + * security_init - Initializes the LSM framework
> + *
> + * This should be called early in the kernel initialization sequence.
> + */
> +int __init security_init(void)
> +{
> +	unsigned int cnt;
>   	struct lsm_info **lsm;
>   	struct lsm_info *early;
> +	unsigned int first = 0;
> +
> +	init_debug("legacy security=%s\n", lsm_order_legacy ? : " *unspecified*");
> +	init_debug("  CONFIG_LSM=%s\n", lsm_order_builtin);
> +	init_debug("boot arg lsm=%s\n", lsm_order_cmdline ? : " *unspecified*");
>   
>   	if (lsm_order_cmdline) {
>   		if (lsm_order_legacy) {
> @@ -332,9 +394,8 @@ static void __init lsm_init_ordered(void)
>   	} else
>   		lsm_order_parse(lsm_order_builtin, "builtin");
>   
> -	lsm_order_for_each(lsm) {
> +	lsm_order_for_each(lsm)
>   		lsm_prepare(*lsm);
> -	}
>   
>   	pr_info("initializing lsm=");
>   	lsm_early_for_each_raw(early) {
> @@ -383,87 +444,13 @@ static void __init lsm_init_ordered(void)
>   	if (lsm_task_alloc(current))
>   		panic("%s: early task alloc failed.\n", __func__);
>   
> +	cnt = 0;
>   	lsm_order_for_each(lsm) {
> +		/* skip the "early" LSMs as they have already been setup */
> +		if (cnt++ < lsm_count_early)
> +			continue;
>   		lsm_init_single(*lsm);
>   	}
> -}
> -
> -static void __init lsm_static_call_init(struct security_hook_list *hl)
> -{
> -	struct lsm_static_call *scall = hl->scalls;
> -	int i;
> -
> -	for (i = 0; i < MAX_LSM_COUNT; i++) {
> -		/* Update the first static call that is not used yet */
> -		if (!scall->hl) {
> -			__static_call_update(scall->key, scall->trampoline,
> -					     hl->hook.lsm_func_addr);
> -			scall->hl = hl;
> -			static_branch_enable(scall->active);
> -			return;
> -		}
> -		scall++;
> -	}
> -	panic("%s - Ran out of static slots.\n", __func__);
> -}
> -
> -/**
> - * security_add_hooks - Add a modules hooks to the hook lists.
> - * @hooks: the hooks to add
> - * @count: the number of hooks to add
> - * @lsmid: the identification information for the security module
> - *
> - * Each LSM has to register its hooks with the infrastructure.
> - */
> -void __init security_add_hooks(struct security_hook_list *hooks, int count,
> -			       const struct lsm_id *lsmid)
> -{
> -	int i;
> -
> -	for (i = 0; i < count; i++) {
> -		hooks[i].lsmid = lsmid;
> -		lsm_static_call_init(&hooks[i]);
> -	}
> -}
> -
> -int __init early_security_init(void)
> -{
> -	struct lsm_info *lsm;
> -
> -	lsm_early_for_each_raw(lsm) {
> -		lsm_enabled_set(lsm, true);
> -		lsm_order_append(lsm, "early");
> -		lsm_prepare(lsm);
> -		lsm_init_single(lsm);
> -	}
> -
> -	return 0;
> -}
> -
> -/**
> - * security_init - initializes the security framework
> - *
> - * This should be called early in the kernel initialization sequence.
> - */
> -int __init security_init(void)
> -{
> -	struct lsm_info *lsm;
> -
> -	init_debug("legacy security=%s\n", lsm_order_legacy ? : " *unspecified*");
> -	init_debug("  CONFIG_LSM=%s\n", lsm_order_builtin);
> -	init_debug("boot arg lsm=%s\n", lsm_order_cmdline ? : " *unspecified*");
> -
> -	/*
> -	 * Append the names of the early LSM modules now that kmalloc() is
> -	 * available
> -	 */
> -	lsm_early_for_each_raw(lsm) {
> -		init_debug("  early started: %s (%s)\n", lsm->id->name,
> -			   lsm_is_enabled(lsm) ? "enabled" : "disabled");
> -	}
> -
> -	/* Load LSMs in specified order. */
> -	lsm_init_ordered();
>   
>   	return 0;
>   }

More information about the Linux-security-module-archive mailing list