On 4/9/2025 11:50 AM, Paul Moore wrote:
> As the LSM framework only supports one LSM initcall callback for each
> initcall type, the init_smk_fs() and smack_nf_ip_init() functions were
> wrapped with a new function, smack_initcall() that is registered with
> the LSM framework.
>
> Signed-off-by: Paul Moore <p...@paul-moore.com>
> ---
> security/smack/smack.h | 6 ++++++
> security/smack/smack_lsm.c | 16 ++++++++++++++++
> security/smack/smack_netfilter.c | 4 +---
> security/smack/smackfs.c | 4 +---
> 4 files changed, 24 insertions(+), 6 deletions(-)
>
> diff --git a/security/smack/smack.h b/security/smack/smack.h
> index bf6a6ed3946c..709e0d6cd5e1 100644
> --- a/security/smack/smack.h
> +++ b/security/smack/smack.h
> @@ -275,6 +275,12 @@ struct smk_audit_info {
> #endif
> };
>
> +/*
> + * Initialization
> + */
> +int init_smk_fs(void);
> +int smack_nf_ip_init(void);
> +
> /*
> * These functions are in smack_access.c
> */
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index e09b33fed5f0..80b129a0c92c 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -5277,6 +5277,21 @@ static __init int smack_init(void)
> return 0;
> }
>
> +static int smack_initcall(void)
> +{
> + int rc, rc_tmp;
separate lines for the declarations please.
> +
> + rc_tmp = init_smk_fs();
> + if (rc_tmp)
> + rc = rc_tmp;
Replace these three lines with:
+ rc = init_smk_fs();
> +
> + rc_tmp = smack_nf_ip_init();
> + if (!rc && rc_tmp)
> + rc = rc_tmp;
Change this to
+ rc_tmp = smack_nf_ip_init();
+ return rc ? rc : rc_tmp;
Also change rc_tmp to rc_nf and rc to rc_fs.
> +
> + return rc;
> +}
> +
Or:
static int smack_initcall(void)
{
int rc_fs = init_smk_fs();
int rc_nf = smack_nf_ip_init();
return rc_fs ? rc_fs : rc:nf;
}
> /*
> * Smack requires early initialization in order to label
> * all processes and objects when they are created.
> @@ -5286,4 +5301,5 @@ DEFINE_LSM(smack) = {
> .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
> .blobs = &smack_blob_sizes,
> .init = smack_init,
> + .initcall_device = smack_initcall,
> };
> diff --git a/security/smack/smack_netfilter.c
> b/security/smack/smack_netfilter.c
> index 8fd747b3653a..17ba578b1308 100644
> --- a/security/smack/smack_netfilter.c
> +++ b/security/smack/smack_netfilter.c
> @@ -68,7 +68,7 @@ static struct pernet_operations smack_net_ops = {
> .exit = smack_nf_unregister,
> };
>
> -static int __init smack_nf_ip_init(void)
> +int __init smack_nf_ip_init(void)
> {
> if (smack_enabled == 0)
> return 0;
> @@ -76,5 +76,3 @@ static int __init smack_nf_ip_init(void)
> printk(KERN_DEBUG "Smack: Registering netfilter hooks\n");
> return register_pernet_subsys(&smack_net_ops);
> }
> -
> -__initcall(smack_nf_ip_init);
> diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
> index 90a67e410808..d33dd0368807 100644
> --- a/security/smack/smackfs.c
> +++ b/security/smack/smackfs.c
> @@ -2980,7 +2980,7 @@ static struct vfsmount *smackfs_mount;
> * Returns true if we were not chosen on boot or if
> * we were chosen and filesystem registration succeeded.
> */
> -static int __init init_smk_fs(void)
> +int __init init_smk_fs(void)
> {
> int err;
> int rc;
> @@ -3023,5 +3023,3 @@ static int __init init_smk_fs(void)
>
> return err;
> }
> -
> -__initcall(init_smk_fs);
