| Message ID | 20250409185019.238841-32-paul@paul-moore.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | Rework the LSM initialization | expand |
On Wed, Apr 09, 2025 at 02:49:46PM -0400, Paul Moore wrote: > In an effort to decompose security/security.c somewhat to make it less > twisted and unwieldy, pull out the LSM notifier code into a new file > as it is fairly well self-contained. > > No code changes. > > Signed-off-by: Paul Moore <paul@paul-moore.com> Yeah, seems good. Reviewed-by: Kees Cook <kees@kernel.org>
On 4/9/25 11:49, Paul Moore wrote: > In an effort to decompose security/security.c somewhat to make it less > twisted and unwieldy, pull out the LSM notifier code into a new file > as it is fairly well self-contained. > > No code changes. > > Signed-off-by: Paul Moore <paul@paul-moore.com> lgtm Reviewed-by: John Johansen <john.johansen@canonical.com> > --- > security/Makefile | 2 +- > security/lsm_notifier.c | 31 +++++++++++++++++++++++++++++++ > security/security.c | 23 ----------------------- > 3 files changed, 32 insertions(+), 24 deletions(-) > create mode 100644 security/lsm_notifier.c > > diff --git a/security/Makefile b/security/Makefile > index 22ff4c8bd8ce..14d87847bce8 100644 > --- a/security/Makefile > +++ b/security/Makefile > @@ -11,7 +11,7 @@ obj-$(CONFIG_SECURITY) += lsm_syscalls.o > obj-$(CONFIG_MMU) += min_addr.o > > # Object file lists > -obj-$(CONFIG_SECURITY) += security.o > +obj-$(CONFIG_SECURITY) += security.o lsm_notifier.o > obj-$(CONFIG_SECURITYFS) += inode.o > obj-$(CONFIG_SECURITY_SELINUX) += selinux/ > obj-$(CONFIG_SECURITY_SMACK) += smack/ > diff --git a/security/lsm_notifier.c b/security/lsm_notifier.c > new file mode 100644 > index 000000000000..c92fad5d57d4 > --- /dev/null > +++ b/security/lsm_notifier.c > @@ -0,0 +1,31 @@ > +// SPDX-License-Identifier: GPL-2.0-or-later > +/* > + * LSM notifier functions > + * > + */ > + > +#include <linux/notifier.h> > +#include <linux/security.h> > + > +static BLOCKING_NOTIFIER_HEAD(blocking_lsm_notifier_chain); > + > +int call_blocking_lsm_notifier(enum lsm_event event, void *data) > +{ > + return blocking_notifier_call_chain(&blocking_lsm_notifier_chain, > + event, data); > +} > +EXPORT_SYMBOL(call_blocking_lsm_notifier); > + > +int register_blocking_lsm_notifier(struct notifier_block *nb) > +{ > + return blocking_notifier_chain_register(&blocking_lsm_notifier_chain, > + nb); > +} > +EXPORT_SYMBOL(register_blocking_lsm_notifier); > + > +int unregister_blocking_lsm_notifier(struct notifier_block *nb) > +{ > + return blocking_notifier_chain_unregister(&blocking_lsm_notifier_chain, > + nb); > +} > +EXPORT_SYMBOL(unregister_blocking_lsm_notifier); > diff --git a/security/security.c b/security/security.c > index fb57e8fddd91..477be0a17e3f 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -90,8 +90,6 @@ const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX + 1] = { > [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", > }; > > -static BLOCKING_NOTIFIER_HEAD(blocking_lsm_notifier_chain); > - > static struct kmem_cache *lsm_file_cache; > static struct kmem_cache *lsm_inode_cache; > > @@ -643,27 +641,6 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count, > } > } > > -int call_blocking_lsm_notifier(enum lsm_event event, void *data) > -{ > - return blocking_notifier_call_chain(&blocking_lsm_notifier_chain, > - event, data); > -} > -EXPORT_SYMBOL(call_blocking_lsm_notifier); > - > -int register_blocking_lsm_notifier(struct notifier_block *nb) > -{ > - return blocking_notifier_chain_register(&blocking_lsm_notifier_chain, > - nb); > -} > -EXPORT_SYMBOL(register_blocking_lsm_notifier); > - > -int unregister_blocking_lsm_notifier(struct notifier_block *nb) > -{ > - return blocking_notifier_chain_unregister(&blocking_lsm_notifier_chain, > - nb); > -} > -EXPORT_SYMBOL(unregister_blocking_lsm_notifier); > - > /** > * lsm_blob_alloc - allocate a composite blob > * @dest: the destination for the blob
diff --git a/security/Makefile b/security/Makefile index 22ff4c8bd8ce..14d87847bce8 100644 --- a/security/Makefile +++ b/security/Makefile @@ -11,7 +11,7 @@ obj-$(CONFIG_SECURITY) += lsm_syscalls.o obj-$(CONFIG_MMU) += min_addr.o # Object file lists -obj-$(CONFIG_SECURITY) += security.o +obj-$(CONFIG_SECURITY) += security.o lsm_notifier.o obj-$(CONFIG_SECURITYFS) += inode.o obj-$(CONFIG_SECURITY_SELINUX) += selinux/ obj-$(CONFIG_SECURITY_SMACK) += smack/ diff --git a/security/lsm_notifier.c b/security/lsm_notifier.c new file mode 100644 index 000000000000..c92fad5d57d4 --- /dev/null +++ b/security/lsm_notifier.c @@ -0,0 +1,31 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * LSM notifier functions + * + */ + +#include <linux/notifier.h> +#include <linux/security.h> + +static BLOCKING_NOTIFIER_HEAD(blocking_lsm_notifier_chain); + +int call_blocking_lsm_notifier(enum lsm_event event, void *data) +{ + return blocking_notifier_call_chain(&blocking_lsm_notifier_chain, + event, data); +} +EXPORT_SYMBOL(call_blocking_lsm_notifier); + +int register_blocking_lsm_notifier(struct notifier_block *nb) +{ + return blocking_notifier_chain_register(&blocking_lsm_notifier_chain, + nb); +} +EXPORT_SYMBOL(register_blocking_lsm_notifier); + +int unregister_blocking_lsm_notifier(struct notifier_block *nb) +{ + return blocking_notifier_chain_unregister(&blocking_lsm_notifier_chain, + nb); +} +EXPORT_SYMBOL(unregister_blocking_lsm_notifier); diff --git a/security/security.c b/security/security.c index fb57e8fddd91..477be0a17e3f 100644 --- a/security/security.c +++ b/security/security.c @@ -90,8 +90,6 @@ const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX + 1] = { [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -static BLOCKING_NOTIFIER_HEAD(blocking_lsm_notifier_chain); - static struct kmem_cache *lsm_file_cache; static struct kmem_cache *lsm_inode_cache; @@ -643,27 +641,6 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count, } } -int call_blocking_lsm_notifier(enum lsm_event event, void *data) -{ - return blocking_notifier_call_chain(&blocking_lsm_notifier_chain, - event, data); -} -EXPORT_SYMBOL(call_blocking_lsm_notifier); - -int register_blocking_lsm_notifier(struct notifier_block *nb) -{ - return blocking_notifier_chain_register(&blocking_lsm_notifier_chain, - nb); -} -EXPORT_SYMBOL(register_blocking_lsm_notifier); - -int unregister_blocking_lsm_notifier(struct notifier_block *nb) -{ - return blocking_notifier_chain_unregister(&blocking_lsm_notifier_chain, - nb); -} -EXPORT_SYMBOL(unregister_blocking_lsm_notifier); - /** * lsm_blob_alloc - allocate a composite blob * @dest: the destination for the blob
In an effort to decompose security/security.c somewhat to make it less twisted and unwieldy, pull out the LSM notifier code into a new file as it is fairly well self-contained. No code changes. Signed-off-by: Paul Moore <paul@paul-moore.com> --- security/Makefile | 2 +- security/lsm_notifier.c | 31 +++++++++++++++++++++++++++++++ security/security.c | 23 ----------------------- 3 files changed, 32 insertions(+), 24 deletions(-) create mode 100644 security/lsm_notifier.c