On Wed, Apr 9, 2025 at 7:42 PM Kees Cook <k...@kernel.org> wrote:
> On Wed, Apr 09, 2025 at 02:50:05PM -0400, Paul Moore wrote:
> > As the LSM framework only supports one LSM initcall callback for each
> > initcall type, the init_smk_fs() and smack_nf_ip_init() functions were
> > wrapped with a new function, smack_initcall() that is registered with
> > the LSM framework.
> >
> > Signed-off-by: Paul Moore <p...@paul-moore.com>
> > ---
> > security/smack/smack.h | 6 ++++++
> > security/smack/smack_lsm.c | 16 ++++++++++++++++
> > security/smack/smack_netfilter.c | 4 +---
> > security/smack/smackfs.c | 4 +---
> > 4 files changed, 24 insertions(+), 6 deletions(-)
...
> > diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> > index e09b33fed5f0..80b129a0c92c 100644
> > --- a/security/smack/smack_lsm.c
> > +++ b/security/smack/smack_lsm.c
> > @@ -5277,6 +5277,21 @@ static __init int smack_init(void)
> > return 0;
> > }
> >
> > +static int smack_initcall(void)
> > +{
> > + int rc, rc_tmp;
> > +
> > + rc_tmp = init_smk_fs();
> > + if (rc_tmp)
> > + rc = rc_tmp;
> > +
> > + rc_tmp = smack_nf_ip_init();
> > + if (!rc && rc_tmp)
> > + rc = rc_tmp;
> > +
> > + return rc;
> > +}
>
> This retains the existing behavior, but I think it'd be better to
> evaluate if the init_smk_fs() call can be tied to the fs init hook
> instead, yes? Then no new helper is needed, etc.
When doing this work I spotted a few LSMs where I think we could
consolidate multiple initcall types into one (or two?), but there was
enough in this patchset already I decided to leave that for another
day.
--
paul-moore.com
