Commit 3156bc81 authored by Paul Moore's avatar Paul Moore
Browse files

selinux: move initcalls to the LSM framework 



SELinux currently has a number of initcalls so we've created a new
function, selinux_initcall(), which wraps all of these initcalls so
that we have a single initcall function that can be registered with the
LSM framework.

Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 82fe7932

security/selinux/Makefile

+1 −1
Original line number Diff line number Diff line
@@ -15,7 +15,7 @@ ccflags-y := -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include 
ccflags-$(CONFIG_SECURITY_SELINUX_DEBUG) += -DDEBUG



selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \

	     netnode.o netport.o status.o \

	     netnode.o netport.o status.o initcalls.o \

	     ss/ebitmap.o ss/hashtab.o ss/symtab.o ss/sidtab.o ss/avtab.o \

	     ss/policydb.o ss/services.o ss/conditional.o ss/mls.o ss/context.o

security/selinux/hooks.c

+7 −2
Original line number Diff line number Diff line
@@ -94,6 +94,7 @@ 
#include <linux/io_uring/cmd.h>

#include <uapi/linux/lsm.h>



#include "initcalls.h"

#include "avc.h"

#include "objsec.h"

#include "netif.h"
@@ -7612,6 +7613,10 @@ static __init int selinux_init(void) 
	if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))

		panic("SELinux: Unable to register AVC LSM notifier callback\n");



	if (avc_add_callback(selinux_audit_rule_avc_callback,

			     AVC_CALLBACK_RESET))

		panic("SELinux: Unable to register AVC audit callback\n");



	if (selinux_enforcing_boot)

		pr_debug("SELinux:  Starting in enforcing mode\n");

	else
@@ -7644,6 +7649,7 @@ DEFINE_LSM(selinux) = { 
	.enabled = &selinux_enabled_boot,

	.blobs = &selinux_blob_sizes,

	.init = selinux_init,

	.initcall_device = selinux_initcall,

};



#if defined(CONFIG_NETFILTER)
@@ -7705,7 +7711,7 @@ static struct pernet_operations selinux_net_ops = { 
	.exit = selinux_nf_unregister,

};



static int __init selinux_nf_ip_init(void)

int __init selinux_nf_ip_init(void)

{

	int err;
@@ -7720,5 +7726,4 @@ static int __init selinux_nf_ip_init(void) 


	return 0;

}

__initcall(selinux_nf_ip_init);

#endif /* CONFIG_NETFILTER */

security/selinux/ibpkey.c

+2 −3
Original line number Diff line number Diff line
@@ -23,6 +23,7 @@ 
#include <linux/list.h>

#include <linux/spinlock.h>



#include "initcalls.h"

#include "ibpkey.h"

#include "objsec.h"
@@ -218,7 +219,7 @@ void sel_ib_pkey_flush(void) 
	spin_unlock_irqrestore(&sel_ib_pkey_lock, flags);

}



static __init int sel_ib_pkey_init(void)

int __init sel_ib_pkey_init(void)

{

	int iter;
@@ -232,5 +233,3 @@ static __init int sel_ib_pkey_init(void) 


	return 0;

}
 


subsys_initcall(sel_ib_pkey_init);

security/selinux/include/audit.h

+9 −0
Original line number Diff line number Diff line
@@ -15,6 +15,15 @@ 
#include <linux/audit.h>

#include <linux/types.h>



/**

 * selinux_audit_rule_avc_callback - update the audit LSM rules on AVC events.

 * @event: the AVC event

 *

 * Update any audit LSM rules based on the AVC event specified in @event.

 * Returns 0 on success, negative values otherwise.

 */

int selinux_audit_rule_avc_callback(u32 event);



/**

 * selinux_audit_rule_init - alloc/init an selinux audit rule structure.

 * @field: the field this rule refers to

security/selinux/include/initcalls.h

0 → 100644
+19 −0
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/*

 * SELinux initcalls

 */



#ifndef _SELINUX_INITCALLS_H

#define _SELINUX_INITCALLS_H



int init_sel_fs(void);

int sel_netport_init(void);

int sel_netnode_init(void);

int sel_netif_init(void);

int sel_netlink_init(void);

int sel_ib_pkey_init(void);

int selinux_nf_ip_init(void);



int selinux_initcall(void);



#endif