On 7/21/2025 4:21 PM, Paul Moore wrote:
> With only security_init() calling lsm_init_ordered, it makes little
> sense to keep lsm_init_ordered() as a standalone function. Fold
> lsm_init_ordered() into security_init().
>
> Signed-off-by: Paul Moore <p...@paul-moore.com>
Reviewed-by: Casey Schaufler <ca...@schaufler-ca.com>
> ---
> security/lsm_init.c | 157 ++++++++++++++++++++------------------------
> 1 file changed, 72 insertions(+), 85 deletions(-)
>
> diff --git a/security/lsm_init.c b/security/lsm_init.c
> index 49f93383e551..25fe0c89e884 100644
> --- a/security/lsm_init.c
> +++ b/security/lsm_init.c
> @@ -18,6 +18,9 @@ static __initdata int lsm_enabled_false = 0;
> extern struct lsm_info __start_lsm_info[], __end_lsm_info[];
> extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[];
>
> +/* Number of "early" LSMs */
> +static __initdata unsigned int lsm_count_early;
> +
> /* Build and boot-time LSM ordering. */
> static __initconst const char *const lsm_order_builtin = CONFIG_LSM;
> static __initdata const char *lsm_order_cmdline;
> @@ -169,7 +172,6 @@ static void __init lsm_order_append(struct lsm_info *lsm,
> const char *src)
> lsm_is_enabled(lsm) ? "enabled" : "disabled");
> }
>
> -
> /**
> * lsm_blob_size_update - Update the LSM blob size and offset information
> * @sz_req: the requested additional blob size
> @@ -310,78 +312,6 @@ static void __init lsm_order_parse(const char *list,
> const char *src)
> }
> }
>
> -/**
> - * lsm_init_ordered - Initialize the ordered LSMs
> - */
> -static void __init lsm_init_ordered(void)
> -{
> - unsigned int first = 0;
> - struct lsm_info **lsm;
> - struct lsm_info *early;
> -
> - if (lsm_order_cmdline) {
> - if (lsm_order_legacy) {
> - pr_warn("security=%s is ignored because it is
> superseded by lsm=%s\n",
> - lsm_order_legacy, lsm_order_cmdline);
> - lsm_order_legacy = NULL;
> - }
> - lsm_order_parse(lsm_order_cmdline, "cmdline");
> - } else
> - lsm_order_parse(lsm_order_builtin, "builtin");
> -
> - lsm_order_for_each(lsm) {
> - lsm_prepare(*lsm);
> - }
> -
> - pr_info("initializing lsm=");
> - lsm_early_for_each_raw(early) {
> - if (lsm_is_enabled(early))
> - pr_cont("%s%s",
> - first++ == 0 ? "" : ",", early->id->name);
> - }
> - lsm_order_for_each(lsm) {
> - if (lsm_is_enabled(*lsm))
> - pr_cont("%s%s",
> - first++ == 0 ? "" : ",", (*lsm)->id->name);
> - }
> - pr_cont("\n");
> -
> - init_debug("cred blob size = %d\n", blob_sizes.lbs_cred);
> - init_debug("file blob size = %d\n", blob_sizes.lbs_file);
> - init_debug("ib blob size = %d\n", blob_sizes.lbs_ib);
> - init_debug("inode blob size = %d\n", blob_sizes.lbs_inode);
> - init_debug("ipc blob size = %d\n", blob_sizes.lbs_ipc);
> -#ifdef CONFIG_KEYS
> - init_debug("key blob size = %d\n", blob_sizes.lbs_key);
> -#endif /* CONFIG_KEYS */
> - init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg);
> - init_debug("sock blob size = %d\n", blob_sizes.lbs_sock);
> - init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock);
> - init_debug("perf event blob size = %d\n", blob_sizes.lbs_perf_event);
> - init_debug("task blob size = %d\n", blob_sizes.lbs_task);
> - init_debug("tun device blob size = %d\n", blob_sizes.lbs_tun_dev);
> - init_debug("xattr slots = %d\n", blob_sizes.lbs_xattr_count);
> - init_debug("bdev blob size = %d\n", blob_sizes.lbs_bdev);
> -
> - if (blob_sizes.lbs_file)
> - lsm_file_cache = kmem_cache_create("lsm_file_cache",
> - blob_sizes.lbs_file, 0,
> - SLAB_PANIC, NULL);
> - if (blob_sizes.lbs_inode)
> - lsm_inode_cache = kmem_cache_create("lsm_inode_cache",
> - blob_sizes.lbs_inode, 0,
> - SLAB_PANIC, NULL);
> -
> - if (lsm_cred_alloc((struct cred *)current->cred, GFP_KERNEL))
> - panic("%s: early cred alloc failed.\n", __func__);
> - if (lsm_task_alloc(current))
> - panic("%s: early task alloc failed.\n", __func__);
> -
> - lsm_order_for_each(lsm) {
> - lsm_init_single(*lsm);
> - }
> -}
> -
> static void __init lsm_static_call_init(struct security_hook_list *hl)
> {
> struct lsm_static_call *scall = hl->scalls;
> @@ -429,35 +359,92 @@ int __init early_security_init(void)
> lsm_order_append(lsm, "early");
> lsm_prepare(lsm);
> lsm_init_single(lsm);
> + lsm_count_early++;
> }
>
> return 0;
> }
>
> /**
> - * security_init - initializes the security framework
> + * security_init - Initializes the LSM framework
> *
> * This should be called early in the kernel initialization sequence.
> */
> int __init security_init(void)
> {
> - struct lsm_info *lsm;
> + unsigned int cnt;
> + struct lsm_info **lsm;
> + struct lsm_info *early;
> + unsigned int first = 0;
>
> init_debug("legacy security=%s\n", lsm_order_legacy ? : "
> *unspecified*");
> init_debug(" CONFIG_LSM=%s\n", lsm_order_builtin);
> init_debug("boot arg lsm=%s\n", lsm_order_cmdline ? : " *unspecified*");
>
> - /*
> - * Append the names of the early LSM modules now that kmalloc() is
> - * available
> - */
> - lsm_early_for_each_raw(lsm) {
> - init_debug(" early started: %s (%s)\n", lsm->id->name,
> - lsm_is_enabled(lsm) ? "enabled" : "disabled");
> - }
> + if (lsm_order_cmdline) {
> + if (lsm_order_legacy) {
> + pr_warn("security=%s is ignored because it is
> superseded by lsm=%s\n",
> + lsm_order_legacy, lsm_order_cmdline);
> + lsm_order_legacy = NULL;
> + }
> + lsm_order_parse(lsm_order_cmdline, "cmdline");
> + } else
> + lsm_order_parse(lsm_order_builtin, "builtin");
>
> - /* Load LSMs in specified order. */
> - lsm_init_ordered();
> + lsm_order_for_each(lsm)
> + lsm_prepare(*lsm);
> +
> + pr_info("initializing lsm=");
> + lsm_early_for_each_raw(early) {
> + if (lsm_is_enabled(early))
> + pr_cont("%s%s",
> + first++ == 0 ? "" : ",", early->id->name);
> + }
> + lsm_order_for_each(lsm) {
> + if (lsm_is_enabled(*lsm))
> + pr_cont("%s%s",
> + first++ == 0 ? "" : ",", (*lsm)->id->name);
> + }
> + pr_cont("\n");
> +
> + init_debug("cred blob size = %d\n", blob_sizes.lbs_cred);
> + init_debug("file blob size = %d\n", blob_sizes.lbs_file);
> + init_debug("ib blob size = %d\n", blob_sizes.lbs_ib);
> + init_debug("inode blob size = %d\n", blob_sizes.lbs_inode);
> + init_debug("ipc blob size = %d\n", blob_sizes.lbs_ipc);
> +#ifdef CONFIG_KEYS
> + init_debug("key blob size = %d\n", blob_sizes.lbs_key);
> +#endif /* CONFIG_KEYS */
> + init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg);
> + init_debug("sock blob size = %d\n", blob_sizes.lbs_sock);
> + init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock);
> + init_debug("perf event blob size = %d\n", blob_sizes.lbs_perf_event);
> + init_debug("task blob size = %d\n", blob_sizes.lbs_task);
> + init_debug("tun device blob size = %d\n", blob_sizes.lbs_tun_dev);
> + init_debug("xattr slots = %d\n", blob_sizes.lbs_xattr_count);
> + init_debug("bdev blob size = %d\n", blob_sizes.lbs_bdev);
> +
> + if (blob_sizes.lbs_file)
> + lsm_file_cache = kmem_cache_create("lsm_file_cache",
> + blob_sizes.lbs_file, 0,
> + SLAB_PANIC, NULL);
> + if (blob_sizes.lbs_inode)
> + lsm_inode_cache = kmem_cache_create("lsm_inode_cache",
> + blob_sizes.lbs_inode, 0,
> + SLAB_PANIC, NULL);
> +
> + if (lsm_cred_alloc((struct cred *)current->cred, GFP_KERNEL))
> + panic("%s: early cred alloc failed.\n", __func__);
> + if (lsm_task_alloc(current))
> + panic("%s: early task alloc failed.\n", __func__);
> +
> + cnt = 0;
> + lsm_order_for_each(lsm) {
> + /* skip the "early" LSMs as they have already been setup */
> + if (cnt++ < lsm_count_early)
> + continue;
> + lsm_init_single(*lsm);
> + }
>
> return 0;
> }
