On 4/10/2025 10:30 AM, Casey Schaufler wrote:
> On 4/9/2025 11:50 AM, Paul Moore wrote:
>> As the LSM framework only supports one LSM initcall callback for each
>> initcall type, the init_smk_fs() and smack_nf_ip_init() functions were
>> wrapped with a new function, smack_initcall() that is registered with
>> the LSM framework.
>>
>> Signed-off-by: Paul Moore <p...@paul-moore.com>
>> ---
>> security/smack/smack.h | 6 ++++++
>> security/smack/smack_lsm.c | 16 ++++++++++++++++
>> security/smack/smack_netfilter.c | 4 +---
>> security/smack/smackfs.c | 4 +---
>> 4 files changed, 24 insertions(+), 6 deletions(-)
>>
>> diff --git a/security/smack/smack.h b/security/smack/smack.h
>> index bf6a6ed3946c..709e0d6cd5e1 100644
>> --- a/security/smack/smack.h
>> +++ b/security/smack/smack.h
>> @@ -275,6 +275,12 @@ struct smk_audit_info {
>> #endif
>> };
>>
>> +/*
>> + * Initialization
>> + */
>> +int init_smk_fs(void);
>> +int smack_nf_ip_init(void);
>> +
>> /*
>> * These functions are in smack_access.c
>> */
>> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
>> index e09b33fed5f0..80b129a0c92c 100644
>> --- a/security/smack/smack_lsm.c
>> +++ b/security/smack/smack_lsm.c
>> @@ -5277,6 +5277,21 @@ static __init int smack_init(void)
>> return 0;
>> }
>>
>> +static int smack_initcall(void)
>> +{
>> + int rc, rc_tmp;
> separate lines for the declarations please.
>
>> +
>> + rc_tmp = init_smk_fs();
>> + if (rc_tmp)
>> + rc = rc_tmp;
> Replace these three lines with:
>
> + rc = init_smk_fs();
>
>> +
>> + rc_tmp = smack_nf_ip_init();
>> + if (!rc && rc_tmp)
>> + rc = rc_tmp;
> Change this to
>
> + rc_tmp = smack_nf_ip_init();
> + return rc ? rc : rc_tmp;
>
> Also change rc_tmp to rc_nf and rc to rc_fs.
>
>> +
>> + return rc;
>> +}
>> +
> Or:
>
> static int smack_initcall(void)
> {
> int rc_fs = init_smk_fs();
> int rc_nf = smack_nf_ip_init();
>
> return rc_fs ? rc_fs : rc:nf;
Whoops - return rc_fs ? rc_fs : rc_nf;
> }
>
>> /*
>> * Smack requires early initialization in order to label
>> * all processes and objects when they are created.
>> @@ -5286,4 +5301,5 @@ DEFINE_LSM(smack) = {
>> .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
>> .blobs = &smack_blob_sizes,
>> .init = smack_init,
>> + .initcall_device = smack_initcall,
>> };
>> diff --git a/security/smack/smack_netfilter.c
>> b/security/smack/smack_netfilter.c
>> index 8fd747b3653a..17ba578b1308 100644
>> --- a/security/smack/smack_netfilter.c
>> +++ b/security/smack/smack_netfilter.c
>> @@ -68,7 +68,7 @@ static struct pernet_operations smack_net_ops = {
>> .exit = smack_nf_unregister,
>> };
>>
>> -static int __init smack_nf_ip_init(void)
>> +int __init smack_nf_ip_init(void)
>> {
>> if (smack_enabled == 0)
>> return 0;
>> @@ -76,5 +76,3 @@ static int __init smack_nf_ip_init(void)
>> printk(KERN_DEBUG "Smack: Registering netfilter hooks\n");
>> return register_pernet_subsys(&smack_net_ops);
>> }
>> -
>> -__initcall(smack_nf_ip_init);
>> diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
>> index 90a67e410808..d33dd0368807 100644
>> --- a/security/smack/smackfs.c
>> +++ b/security/smack/smackfs.c
>> @@ -2980,7 +2980,7 @@ static struct vfsmount *smackfs_mount;
>> * Returns true if we were not chosen on boot or if
>> * we were chosen and filesystem registration succeeded.
>> */
>> -static int __init init_smk_fs(void)
>> +int __init init_smk_fs(void)
>> {
>> int err;
>> int rc;
>> @@ -3023,5 +3023,3 @@ static int __init init_smk_fs(void)
>>
>> return err;
>> }
>> -
>> -__initcall(init_smk_fs);
