On 7/21/2025 4:21 PM, Paul Moore wrote:
> In an effort to decompose security/security.c somewhat to make it less
> twisted and unwieldy, pull out the LSM notifier code into a new file
> as it is fairly well self-contained.
>
> No code changes.
>
> Reviewed-by: Kees Cook <k...@kernel.org>
> Reviewed-by: John Johansen <john.johan...@canonical.com>
> Signed-off-by: Paul Moore <p...@paul-moore.com>
Reviewed-by: Casey Schaufler <ca...@schaufler-ca.com>
> ---
> security/Makefile | 2 +-
> security/lsm_notifier.c | 31 +++++++++++++++++++++++++++++++
> security/security.c | 23 -----------------------
> 3 files changed, 32 insertions(+), 24 deletions(-)
> create mode 100644 security/lsm_notifier.c
>
> diff --git a/security/Makefile b/security/Makefile
> index 22ff4c8bd8ce..14d87847bce8 100644
> --- a/security/Makefile
> +++ b/security/Makefile
> @@ -11,7 +11,7 @@ obj-$(CONFIG_SECURITY) +=
> lsm_syscalls.o
> obj-$(CONFIG_MMU) += min_addr.o
>
> # Object file lists
> -obj-$(CONFIG_SECURITY) += security.o
> +obj-$(CONFIG_SECURITY) += security.o lsm_notifier.o
> obj-$(CONFIG_SECURITYFS) += inode.o
> obj-$(CONFIG_SECURITY_SELINUX) += selinux/
> obj-$(CONFIG_SECURITY_SMACK) += smack/
> diff --git a/security/lsm_notifier.c b/security/lsm_notifier.c
> new file mode 100644
> index 000000000000..c92fad5d57d4
> --- /dev/null
> +++ b/security/lsm_notifier.c
> @@ -0,0 +1,31 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * LSM notifier functions
> + *
> + */
> +
> +#include <linux/notifier.h>
> +#include <linux/security.h>
> +
> +static BLOCKING_NOTIFIER_HEAD(blocking_lsm_notifier_chain);
> +
> +int call_blocking_lsm_notifier(enum lsm_event event, void *data)
> +{
> + return blocking_notifier_call_chain(&blocking_lsm_notifier_chain,
> + event, data);
> +}
> +EXPORT_SYMBOL(call_blocking_lsm_notifier);
> +
> +int register_blocking_lsm_notifier(struct notifier_block *nb)
> +{
> + return blocking_notifier_chain_register(&blocking_lsm_notifier_chain,
> + nb);
> +}
> +EXPORT_SYMBOL(register_blocking_lsm_notifier);
> +
> +int unregister_blocking_lsm_notifier(struct notifier_block *nb)
> +{
> + return blocking_notifier_chain_unregister(&blocking_lsm_notifier_chain,
> + nb);
> +}
> +EXPORT_SYMBOL(unregister_blocking_lsm_notifier);
> diff --git a/security/security.c b/security/security.c
> index fc8405928cc7..ea09a71d9767 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -90,8 +90,6 @@ const char *const
> lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX + 1] = {
> [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
> };
>
> -static BLOCKING_NOTIFIER_HEAD(blocking_lsm_notifier_chain);
> -
> static struct kmem_cache *lsm_file_cache;
> static struct kmem_cache *lsm_inode_cache;
>
> @@ -643,27 +641,6 @@ void __init security_add_hooks(struct security_hook_list
> *hooks, int count,
> }
> }
>
> -int call_blocking_lsm_notifier(enum lsm_event event, void *data)
> -{
> - return blocking_notifier_call_chain(&blocking_lsm_notifier_chain,
> - event, data);
> -}
> -EXPORT_SYMBOL(call_blocking_lsm_notifier);
> -
> -int register_blocking_lsm_notifier(struct notifier_block *nb)
> -{
> - return blocking_notifier_chain_register(&blocking_lsm_notifier_chain,
> - nb);
> -}
> -EXPORT_SYMBOL(register_blocking_lsm_notifier);
> -
> -int unregister_blocking_lsm_notifier(struct notifier_block *nb)
> -{
> - return blocking_notifier_chain_unregister(&blocking_lsm_notifier_chain,
> - nb);
> -}
> -EXPORT_SYMBOL(unregister_blocking_lsm_notifier);
> -
> /**
> * lsm_blob_alloc - allocate a composite blob
> * @dest: the destination for the blob
