[PATCH RFC 1/3] LSM: add a flags field to the LSM hook definitions

Fri Apr 24 15:24:44 UTC 2026

On 4/23/2026 6:19 PM, Paul Moore wrote:
> On Feb 25, 2026 Casey Schaufler <casey at schaufler-ca.com> wrote:
>> Add a field for flags to the definition of LSM hooks.  This allows
>> for hooks to be identified at system initialization for special
>> processing.
>>
>> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
>> ---
>>  include/linux/bpf_lsm.h       |   2 +-
>>  include/linux/lsm_hook_defs.h | 614 ++++++++++++++++++----------------
>>  include/linux/lsm_hooks.h     |   4 +-
>>  kernel/bpf/bpf_lsm.c          |  10 +-
>>  security/bpf/hooks.c          |   2 +-
>>  security/security.c           |   6 +-
>>  6 files changed, 331 insertions(+), 307 deletions(-)
>>
>> diff --git a/include/linux/bpf_lsm.h b/include/linux/bpf_lsm.h
>> index 643809cc78c3..d71ba8c87e79 100644
>> --- a/include/linux/bpf_lsm.h
>> +++ b/include/linux/bpf_lsm.h
>> @@ -14,7 +14,7 @@
>>  
>>  #ifdef CONFIG_BPF_LSM
>>  
>> -#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
>> +#define LSM_HOOK(RET, DEFAULT, FLAGS, NAME, ...) \
>>  	RET bpf_lsm_##NAME(__VA_ARGS__);
>>  #include <linux/lsm_hook_defs.h>
>>  #undef LSM_HOOK
>> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
>> index 8c42b4bde09c..acda3a02da97 100644
>> --- a/include/linux/lsm_hook_defs.h
>> +++ b/include/linux/lsm_hook_defs.h
>> @@ -18,451 +18,475 @@
>>   * The macro LSM_HOOK is used to define the data structures required by
>>   * the LSM framework using the pattern:
>>   *
>> - *	LSM_HOOK(<return_type>, <default_value>, <hook_name>, args...)
>> + *	LSM_HOOK(<return_type>, <default_value>, <flags>, <single>,
>> + *		 <hook_name>, args...)
>>   *
>>   * struct security_hook_heads {
>> - *   #define LSM_HOOK(RET, DEFAULT, NAME, ...) struct hlist_head NAME;
>> + *   #define LSM_HOOK(RET, DEFAULT, FLAGS, NAME, ...) struct hlist_head NAME;
>>   *   #include <linux/lsm_hook_defs.h>
>>   *   #undef LSM_HOOK
>>   * };
>>   */
>> -LSM_HOOK(int, 0, binder_set_context_mgr, const struct cred *mgr)
>> -LSM_HOOK(int, 0, binder_transaction, const struct cred *from,
>> +LSM_HOOK(int, 0, 0, binder_set_context_mgr, const struct cred *mgr)
>> +LSM_HOOK(int, 0, 0, binder_transaction, const struct cred *from,
>>  	 const struct cred *to)
> I think adding a flag field to the LSM_HOOK() macro/definitions is a good
> and useful addition, but I'd prefer if we created a LSM_FLAG_NONE #define
> and used it here just so we could avoid the back-to-back 0's and do a bit
> of self-documentation.

I had LSM_FLAG_NONE initially, but removed it when I saw the amount of code
churn it introduced. I'm happy to put it back.