[PATCH RFC 1/3] LSM: add a flags field to the LSM hook definitions
Paul Moore
paul at paul-moore.com
Fri Apr 24 20:29:40 UTC 2026
On Fri, Apr 24, 2026 at 11:24 AM Casey Schaufler <casey at schaufler-ca.com> wrote:
> On 4/23/2026 6:19 PM, Paul Moore wrote:
> > On Feb 25, 2026 Casey Schaufler <casey at schaufler-ca.com> wrote:
> >> Add a field for flags to the definition of LSM hooks. This allows
> >> for hooks to be identified at system initialization for special
> >> processing.
> >>
> >> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> >> ---
> >> include/linux/bpf_lsm.h | 2 +-
> >> include/linux/lsm_hook_defs.h | 614 ++++++++++++++++++----------------
> >> include/linux/lsm_hooks.h | 4 +-
> >> kernel/bpf/bpf_lsm.c | 10 +-
> >> security/bpf/hooks.c | 2 +-
> >> security/security.c | 6 +-
> >> 6 files changed, 331 insertions(+), 307 deletions(-)
> >>
> >> diff --git a/include/linux/bpf_lsm.h b/include/linux/bpf_lsm.h
> >> index 643809cc78c3..d71ba8c87e79 100644
> >> --- a/include/linux/bpf_lsm.h
> >> +++ b/include/linux/bpf_lsm.h
> >> @@ -14,7 +14,7 @@
> >>
> >> #ifdef CONFIG_BPF_LSM
> >>
> >> -#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
> >> +#define LSM_HOOK(RET, DEFAULT, FLAGS, NAME, ...) \
> >> RET bpf_lsm_##NAME(__VA_ARGS__);
> >> #include <linux/lsm_hook_defs.h>
> >> #undef LSM_HOOK
> >> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
> >> index 8c42b4bde09c..acda3a02da97 100644
> >> --- a/include/linux/lsm_hook_defs.h
> >> +++ b/include/linux/lsm_hook_defs.h
> >> @@ -18,451 +18,475 @@
> >> * The macro LSM_HOOK is used to define the data structures required by
> >> * the LSM framework using the pattern:
> >> *
> >> - * LSM_HOOK(<return_type>, <default_value>, <hook_name>, args...)
> >> + * LSM_HOOK(<return_type>, <default_value>, <flags>, <single>,
> >> + * <hook_name>, args...)
> >> *
> >> * struct security_hook_heads {
> >> - * #define LSM_HOOK(RET, DEFAULT, NAME, ...) struct hlist_head NAME;
> >> + * #define LSM_HOOK(RET, DEFAULT, FLAGS, NAME, ...) struct hlist_head NAME;
> >> * #include <linux/lsm_hook_defs.h>
> >> * #undef LSM_HOOK
> >> * };
> >> */
> >> -LSM_HOOK(int, 0, binder_set_context_mgr, const struct cred *mgr)
> >> -LSM_HOOK(int, 0, binder_transaction, const struct cred *from,
> >> +LSM_HOOK(int, 0, 0, binder_set_context_mgr, const struct cred *mgr)
> >> +LSM_HOOK(int, 0, 0, binder_transaction, const struct cred *from,
> >> const struct cred *to)
> > I think adding a flag field to the LSM_HOOK() macro/definitions is a good
> > and useful addition, but I'd prefer if we created a LSM_FLAG_NONE #define
> > and used it here just so we could avoid the back-to-back 0's and do a bit
> > of self-documentation.
>
> I had LSM_FLAG_NONE initially, but removed it when I saw the amount of code
> churn it introduced. I'm happy to put it back.
You're already touching every LSM_HOOK() definition to add a another
parameter, changing that parameter from 0 to LSM_FLAG_NONE shouldn't
make it that much worse.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list