Re: [PATCH v5 1/1] security: Add mechanism to safely (un)load LSMs after boot time

Tetsuo Handa Sun, 08 Apr 2018 20:40:46 -0700

Suggested changes on top of your patch:

  Replace "struct hlist_head *head" in "struct security_hook_list" with
  "const unsigned int offset" because there is no need to initialize with
  address of the immutable/mutable chains.


  Remove LSM_HOOK_INIT_MUTABLE() by embedding just offset (in bytes) from
  head of "struct security_hook_heads" into "struct security_hook_list"->offset.

  Make "struct security_hook_heads security_hook_heads" and
  "struct security_hook_heads security_hook_heads_mutable" local variables.

  Rename "struct security_hook_heads security_hook_heads" to
  "struct security_hook_heads security_mutable_hook_heads" and mark it as
  __ro_after_init.

  Add the fourth argument to security_add_hooks() which specifies to which
  chain (security_{mutable|immutable}_hook_heads) to connect.

  Make all built-in LSM modules (except SELinux if
  CONFIG_SECURITY_SELINUX_DISABLE=y) be connected to
  security_immutable_hook_heads.

  Rename __lsm_ro_after_init to __selinux_ro_after_init which is local to
  SELinux.

  Mark "struct security_hook_list"->hook const because it won't change.

  Mark "struct security_hook_list"->lsm const because none of
  security_add_hooks() callers are ready to modify the third argument.

  Remove SECURITY_HOOK_COUNT and "struct security_hook_list"->owner and
  the exception in randomize_layout_plugin.c because preventing module
  unloading won't work as expected.

---
 include/linux/lsm_hooks.h                     |  23 +-
 scripts/gcc-plugins/randomize_layout_plugin.c |   2 -
 security/apparmor/lsm.c                       |   4 +-
 security/commoncap.c                          |   4 +-
 security/loadpin/loadpin.c                    |   5 +-
 security/security.c                           |  52 +--
 security/selinux/hooks.c                      | 437 +++++++++++++-------------
 security/smack/smack_lsm.c                    |   5 +-
 security/tomoyo/tomoyo.c                      |   5 +-
 security/yama/yama_lsm.c                      |   4 +-
 10 files changed, 265 insertions(+), 276 deletions(-)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 9cd7527..13d9d3a 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -2006,11 +2006,10 @@ struct security_hook_heads {
  * For use with generic list macros for common operations.
  */
 struct security_hook_list {
-       struct hlist_node               list;
-       struct hlist_head               *head;
-       union security_list_options     hook;
-       char                            *lsm;
-       struct module                   *owner;
+       struct hlist_node                       list;
+       const unsigned int                      offset;
+       const union security_list_options       hook;
+       const char                              *lsm;
 } __randomize_layout;
 
 /*
@@ -2021,26 +2020,16 @@ struct security_hook_list {
  */
 #define LSM_HOOK_INIT(HEAD, HOOK) \
        {                                               \
-               .head = &security_hook_heads.HEAD,      \
+               .offset = offsetof(struct security_hook_heads, HEAD), \
                .hook = { .HEAD = HOOK },               \
-               .owner = THIS_MODULE,                   \
        }
-extern struct security_hook_heads security_hook_heads;
 extern char *lsm_names;
 
 extern void security_add_hooks(struct security_hook_list *hooks, int count,
-                               char *lsm);
+                              const char *lsm, const bool dynamic);
 
-#define __lsm_ro_after_init    __ro_after_init
 /* Used to facilitate runtime hook unloading, and loading */
 #ifdef CONFIG_SECURITY_WRITABLE_HOOKS
-#define LSM_HOOK_INIT_MUTABLE(HEAD, HOOK) \
-       {                                                       \
-               .head = &security_hook_heads_mutable.HEAD,      \
-               .hook = { .HEAD = HOOK },                       \
-               .owner = THIS_MODULE,                           \
-       }
-extern struct security_hook_heads security_hook_heads_mutable;
 /*
  * Assuring the safety of deleting a security module is up to
  * the security module involved. This may entail ordering the
diff --git a/scripts/gcc-plugins/randomize_layout_plugin.c 
b/scripts/gcc-plugins/randomize_layout_plugin.c
index 6d5bbd3..d941389 100644
--- a/scripts/gcc-plugins/randomize_layout_plugin.c
+++ b/scripts/gcc-plugins/randomize_layout_plugin.c
@@ -52,8 +52,6 @@ struct whitelist_entry {
        { "net/unix/af_unix.c", "unix_skb_parms", "char" },
        /* big_key payload.data struct splashing */
        { "security/keys/big_key.c", "path", "void *" },
-       /* walk struct security_hook_heads as an array of struct hlist_head */
-       { "security/security.c", "hlist_head", "security_hook_heads" },
        { }
 };
 
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index cf00c85..0eb4e1b 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1118,7 +1118,7 @@ static void apparmor_sock_graft(struct sock *sk, struct 
socket *parent)
                ctx->label = aa_get_current_label();
 }
 
-static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list apparmor_hooks[] __ro_after_init = {
        LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
        LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
        LSM_HOOK_INIT(capget, apparmor_capget),
@@ -1563,7 +1563,7 @@ static int __init apparmor_init(void)
                goto buffers_out;
        }
        security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks),
-                               "apparmor");
+                          "apparmor", false);
 
        /* Report that AppArmor successfully initialized */
        apparmor_initialized = 1;
diff --git a/security/commoncap.c b/security/commoncap.c
index 48620c9..757a811 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -1339,7 +1339,7 @@ int cap_mmap_file(struct file *file, unsigned long 
reqprot,
 
 #ifdef CONFIG_SECURITY
 
-struct security_hook_list capability_hooks[] __lsm_ro_after_init = {
+struct security_hook_list capability_hooks[] __ro_after_init = {
        LSM_HOOK_INIT(capable, cap_capable),
        LSM_HOOK_INIT(settime, cap_settime),
        LSM_HOOK_INIT(ptrace_access_check, cap_ptrace_access_check),
@@ -1363,7 +1363,7 @@ struct security_hook_list capability_hooks[] 
__lsm_ro_after_init = {
 void __init capability_add_hooks(void)
 {
        security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks),
-                               "capability");
+                          "capability", false);
 }
 
 #endif /* CONFIG_SECURITY */
diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c
index 5fa1912..29306d8 100644
--- a/security/loadpin/loadpin.c
+++ b/security/loadpin/loadpin.c
@@ -173,7 +173,7 @@ static int loadpin_read_file(struct file *file, enum 
kernel_read_file_id id)
        return 0;
 }
 
-static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list loadpin_hooks[] __ro_after_init = {
        LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security),
        LSM_HOOK_INIT(kernel_read_file, loadpin_read_file),
 };
@@ -181,7 +181,8 @@ static int loadpin_read_file(struct file *file, enum 
kernel_read_file_id id)
 void __init loadpin_add_hooks(void)
 {
        pr_info("ready to pin (currently %sabled)", enabled ? "en" : "dis");
-       security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin");
+       security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin",
+                          false);
 }
 
 /* Should not be mutable after boot, so not listed in sysfs (perm == 0). */
diff --git a/security/security.c b/security/security.c
index ca93ed4..61117ee 100644
--- a/security/security.c
+++ b/security/security.c
@@ -32,15 +32,12 @@
 #include <linux/srcu.h>
 #include <linux/mutex.h>
 
-#define SECURITY_HOOK_COUNT \
-       (sizeof(security_hook_heads) / sizeof(struct hlist_head))
-
 #define MAX_LSM_EVM_XATTR      2
 
 /* Maximum number of letters for an LSM name string */
 #define SECURITY_NAME_MAX      10
 
-struct security_hook_heads security_hook_heads __lsm_ro_after_init;
+static struct security_hook_heads security_immutable_hook_heads 
__ro_after_init;
 
 static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);
 static DEFINE_MUTEX(security_hook_mutex);
@@ -60,7 +57,8 @@ static void __init do_security_initcalls(void)
        }
 }
 #define FOR_EACH_SECURITY_HOOK(ITERATOR, HEAD) \
-       hlist_for_each_entry(ITERATOR, &security_hook_heads.HEAD, list)
+       hlist_for_each_entry(ITERATOR, &security_immutable_hook_heads.HEAD, \
+                            list)
 
 #ifdef CONFIG_SECURITY_WRITABLE_HOOKS
 /*
@@ -68,8 +66,7 @@ static void __init do_security_initcalls(void)
  * security_hook_heads. These security_hook_heads will only be executed
  * if all immutable hooks are executed successfully.
  */
-struct security_hook_heads security_hook_heads_mutable;
-EXPORT_SYMBOL_GPL(security_hook_heads_mutable);
+static struct security_hook_heads security_mutable_hook_heads;
 DEFINE_STATIC_SRCU(security_hook_srcu);
 
 /*
@@ -83,21 +80,11 @@ static void __init do_security_initcalls(void)
 
 static void lock_existing_hooks(void)
 {
-       struct hlist_head *list = (struct hlist_head *)
-                                       &security_hook_heads_mutable;
-       struct security_hook_list *P;
-       int i;
-
        /*
-        * Prevent module unloading while we're doing this
-        * try_module_get may fail (safely), if the module
-        * is already unloading -- allow that.
+        * TODO: try_module_get() does not prevent forced module unloading
+        * (CONFIG_MODULE_FORCE_UNLOAD=y). We need to add a hook into
+        * delete_module() and check if it is an LSM module.
         */
-       mutex_lock(&module_mutex);
-       for (i = 0; i < SECURITY_HOOK_COUNT; i++)
-               hlist_for_each_entry(P, &list[i], list)
-                       try_module_get(P->owner);
-       mutex_unlock(&module_mutex);
 }
 
 static int allow_unload_hooks_set(const char *val,
@@ -171,7 +158,7 @@ void security_delete_hooks(struct security_hook_list 
*hooks, int count)
 EXPORT_SYMBOL_GPL(security_delete_hooks);
 
 #define FOR_EACH_SECURITY_HOOK_MUTABLE(ITERATOR, HEAD) \
-       hlist_for_each_entry(ITERATOR, &security_hook_heads_mutable.HEAD, list)
+       hlist_for_each_entry(ITERATOR, &security_mutable_hook_heads.HEAD, list)
 #else
 static inline int lock_lsm(void)
 {
@@ -232,7 +219,7 @@ static bool match_last_lsm(const char *list, const char 
*lsm)
        return !strcmp(last, lsm);
 }
 
-static int lsm_append(char *new, char **result)
+static int lsm_append(const char *new, char **result)
 {
        char *cp;
 
@@ -279,19 +266,32 @@ int __init security_module_enable(const char *module)
  * @hooks: the hooks to add
  * @count: the number of hooks to add
  * @lsm: the name of the security module
+ * @dynamic: True if dynamic registration and/or unregistration is needed.
  *
  * Each LSM has to register its hooks with the infrastructure.
  */
-void security_add_hooks(struct security_hook_list *hooks, int count, char *lsm)
+void security_add_hooks(struct security_hook_list *hooks, int count,
+                       const char *lsm, const bool dynamic)
 {
        int i;
 
        mutex_lock(&security_hook_mutex);
        for (i = 0; i < count; i++) {
+               unsigned long offset = hooks[i].offset;
+               struct hlist_head *head;
+
+               BUG_ON(offset > sizeof(struct security_hook_heads)
+                      - sizeof(struct hlist_head));
+               if (!IS_ENABLED(CONFIG_SECURITY_WRITABLE_HOOKS) || !dynamic)
+                       head = (struct hlist_head *)
+                               (((char *) &security_immutable_hook_heads)
+                                + offset);
+               else
+                       head = (struct hlist_head *)
+                               (((char *) &security_mutable_hook_heads)
+                                + offset);
                hooks[i].lsm = lsm;
-               hlist_add_tail_rcu(&hooks[i].list, hooks[i].head);
-               if (!allow_unload_hooks)
-                       WARN_ON(!try_module_get(hooks[i].owner));
+               hlist_add_tail_rcu(&hooks[i].list, head);
        }
        mutex_unlock(&security_hook_mutex);
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 95239a2..109d3d0 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6851,244 +6851,242 @@ static void selinux_bpf_prog_free(struct bpf_prog_aux 
*aux)
 
 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
 #define __selinux_ro_after_init
-#define SELINUX_HOOK_INIT LSM_HOOK_INIT_MUTABLE
 #else
-#define __selinux_ro_after_init        __lsm_ro_after_init
-#define SELINUX_HOOK_INIT LSM_HOOK_INIT 
+#define __selinux_ro_after_init        __ro_after_init
 #endif
 
-static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
-       SELINUX_HOOK_INIT(binder_set_context_mgr, 
selinux_binder_set_context_mgr),
-       SELINUX_HOOK_INIT(binder_transaction, selinux_binder_transaction),
-       SELINUX_HOOK_INIT(binder_transfer_binder, 
selinux_binder_transfer_binder),
-       SELINUX_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
-
-       SELINUX_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
-       SELINUX_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
-       SELINUX_HOOK_INIT(capget, selinux_capget),
-       SELINUX_HOOK_INIT(capset, selinux_capset),
-       SELINUX_HOOK_INIT(capable, selinux_capable),
-       SELINUX_HOOK_INIT(quotactl, selinux_quotactl),
-       SELINUX_HOOK_INIT(quota_on, selinux_quota_on),
-       SELINUX_HOOK_INIT(syslog, selinux_syslog),
-       SELINUX_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
-
-       SELINUX_HOOK_INIT(netlink_send, selinux_netlink_send),
-
-       SELINUX_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
-       SELINUX_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
-       SELINUX_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
-
-       SELINUX_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
-       SELINUX_HOOK_INIT(sb_free_security, selinux_sb_free_security),
-       SELINUX_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
-       SELINUX_HOOK_INIT(sb_remount, selinux_sb_remount),
-       SELINUX_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
-       SELINUX_HOOK_INIT(sb_show_options, selinux_sb_show_options),
-       SELINUX_HOOK_INIT(sb_statfs, selinux_sb_statfs),
-       SELINUX_HOOK_INIT(sb_mount, selinux_mount),
-       SELINUX_HOOK_INIT(sb_umount, selinux_umount),
-       SELINUX_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
-       SELINUX_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
-       SELINUX_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
-
-       SELINUX_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
-       SELINUX_HOOK_INIT(dentry_create_files_as, 
selinux_dentry_create_files_as),
-
-       SELINUX_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
-       SELINUX_HOOK_INIT(inode_free_security, selinux_inode_free_security),
-       SELINUX_HOOK_INIT(inode_init_security, selinux_inode_init_security),
-       SELINUX_HOOK_INIT(inode_create, selinux_inode_create),
-       SELINUX_HOOK_INIT(inode_link, selinux_inode_link),
-       SELINUX_HOOK_INIT(inode_unlink, selinux_inode_unlink),
-       SELINUX_HOOK_INIT(inode_symlink, selinux_inode_symlink),
-       SELINUX_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
-       SELINUX_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
-       SELINUX_HOOK_INIT(inode_mknod, selinux_inode_mknod),
-       SELINUX_HOOK_INIT(inode_rename, selinux_inode_rename),
-       SELINUX_HOOK_INIT(inode_readlink, selinux_inode_readlink),
-       SELINUX_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
-       SELINUX_HOOK_INIT(inode_permission, selinux_inode_permission),
-       SELINUX_HOOK_INIT(inode_setattr, selinux_inode_setattr),
-       SELINUX_HOOK_INIT(inode_getattr, selinux_inode_getattr),
-       SELINUX_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
-       SELINUX_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
-       SELINUX_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
-       SELINUX_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
-       SELINUX_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
-       SELINUX_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
-       SELINUX_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
-       SELINUX_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
-       SELINUX_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
-       SELINUX_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
-       SELINUX_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
-
-       SELINUX_HOOK_INIT(file_permission, selinux_file_permission),
-       SELINUX_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
-       SELINUX_HOOK_INIT(file_free_security, selinux_file_free_security),
-       SELINUX_HOOK_INIT(file_ioctl, selinux_file_ioctl),
-       SELINUX_HOOK_INIT(mmap_file, selinux_mmap_file),
-       SELINUX_HOOK_INIT(mmap_addr, selinux_mmap_addr),
-       SELINUX_HOOK_INIT(file_mprotect, selinux_file_mprotect),
-       SELINUX_HOOK_INIT(file_lock, selinux_file_lock),
-       SELINUX_HOOK_INIT(file_fcntl, selinux_file_fcntl),
-       SELINUX_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
-       SELINUX_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
-       SELINUX_HOOK_INIT(file_receive, selinux_file_receive),
-
-       SELINUX_HOOK_INIT(file_open, selinux_file_open),
-
-       SELINUX_HOOK_INIT(task_alloc, selinux_task_alloc),
-       SELINUX_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
-       SELINUX_HOOK_INIT(cred_free, selinux_cred_free),
-       SELINUX_HOOK_INIT(cred_prepare, selinux_cred_prepare),
-       SELINUX_HOOK_INIT(cred_transfer, selinux_cred_transfer),
-       SELINUX_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
-       SELINUX_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
-       SELINUX_HOOK_INIT(kernel_create_files_as, 
selinux_kernel_create_files_as),
-       SELINUX_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
-       SELINUX_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
-       SELINUX_HOOK_INIT(task_setpgid, selinux_task_setpgid),
-       SELINUX_HOOK_INIT(task_getpgid, selinux_task_getpgid),
-       SELINUX_HOOK_INIT(task_getsid, selinux_task_getsid),
-       SELINUX_HOOK_INIT(task_getsecid, selinux_task_getsecid),
-       SELINUX_HOOK_INIT(task_setnice, selinux_task_setnice),
-       SELINUX_HOOK_INIT(task_setioprio, selinux_task_setioprio),
-       SELINUX_HOOK_INIT(task_getioprio, selinux_task_getioprio),
-       SELINUX_HOOK_INIT(task_prlimit, selinux_task_prlimit),
-       SELINUX_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
-       SELINUX_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
-       SELINUX_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
-       SELINUX_HOOK_INIT(task_movememory, selinux_task_movememory),
-       SELINUX_HOOK_INIT(task_kill, selinux_task_kill),
-       SELINUX_HOOK_INIT(task_to_inode, selinux_task_to_inode),
-
-       SELINUX_HOOK_INIT(ipc_permission, selinux_ipc_permission),
-       SELINUX_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
-
-       SELINUX_HOOK_INIT(msg_msg_alloc_security, 
selinux_msg_msg_alloc_security),
-       SELINUX_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
-
-       SELINUX_HOOK_INIT(msg_queue_alloc_security,
+static struct security_hook_list selinux_hooks[] __selinux_ro_after_init = {
+       LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
+       LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
+       LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
+       LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
+
+       LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
+       LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
+       LSM_HOOK_INIT(capget, selinux_capget),
+       LSM_HOOK_INIT(capset, selinux_capset),
+       LSM_HOOK_INIT(capable, selinux_capable),
+       LSM_HOOK_INIT(quotactl, selinux_quotactl),
+       LSM_HOOK_INIT(quota_on, selinux_quota_on),
+       LSM_HOOK_INIT(syslog, selinux_syslog),
+       LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
+
+       LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
+
+       LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
+       LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
+       LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
+
+       LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
+       LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
+       LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
+       LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
+       LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
+       LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
+       LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
+       LSM_HOOK_INIT(sb_mount, selinux_mount),
+       LSM_HOOK_INIT(sb_umount, selinux_umount),
+       LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
+       LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
+       LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
+
+       LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
+       LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
+
+       LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
+       LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
+       LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
+       LSM_HOOK_INIT(inode_create, selinux_inode_create),
+       LSM_HOOK_INIT(inode_link, selinux_inode_link),
+       LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
+       LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
+       LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
+       LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
+       LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
+       LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
+       LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
+       LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
+       LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
+       LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
+       LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
+       LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
+       LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
+       LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
+       LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
+       LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
+       LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
+       LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
+       LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
+       LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
+       LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
+       LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
+
+       LSM_HOOK_INIT(file_permission, selinux_file_permission),
+       LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
+       LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
+       LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
+       LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
+       LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
+       LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
+       LSM_HOOK_INIT(file_lock, selinux_file_lock),
+       LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
+       LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
+       LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
+       LSM_HOOK_INIT(file_receive, selinux_file_receive),
+
+       LSM_HOOK_INIT(file_open, selinux_file_open),
+
+       LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
+       LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
+       LSM_HOOK_INIT(cred_free, selinux_cred_free),
+       LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
+       LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
+       LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
+       LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
+       LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
+       LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
+       LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
+       LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
+       LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
+       LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
+       LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
+       LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
+       LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
+       LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
+       LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
+       LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
+       LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
+       LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
+       LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
+       LSM_HOOK_INIT(task_kill, selinux_task_kill),
+       LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
+
+       LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
+       LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
+
+       LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
+       LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
+
+       LSM_HOOK_INIT(msg_queue_alloc_security,
                        selinux_msg_queue_alloc_security),
-       SELINUX_HOOK_INIT(msg_queue_free_security, 
selinux_msg_queue_free_security),
-       SELINUX_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
-       SELINUX_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
-       SELINUX_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
-       SELINUX_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
-
-       SELINUX_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
-       SELINUX_HOOK_INIT(shm_free_security, selinux_shm_free_security),
-       SELINUX_HOOK_INIT(shm_associate, selinux_shm_associate),
-       SELINUX_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
-       SELINUX_HOOK_INIT(shm_shmat, selinux_shm_shmat),
-
-       SELINUX_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
-       SELINUX_HOOK_INIT(sem_free_security, selinux_sem_free_security),
-       SELINUX_HOOK_INIT(sem_associate, selinux_sem_associate),
-       SELINUX_HOOK_INIT(sem_semctl, selinux_sem_semctl),
-       SELINUX_HOOK_INIT(sem_semop, selinux_sem_semop),
-
-       SELINUX_HOOK_INIT(d_instantiate, selinux_d_instantiate),
-
-       SELINUX_HOOK_INIT(getprocattr, selinux_getprocattr),
-       SELINUX_HOOK_INIT(setprocattr, selinux_setprocattr),
-
-       SELINUX_HOOK_INIT(ismaclabel, selinux_ismaclabel),
-       SELINUX_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
-       SELINUX_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
-       SELINUX_HOOK_INIT(release_secctx, selinux_release_secctx),
-       SELINUX_HOOK_INIT(inode_invalidate_secctx, 
selinux_inode_invalidate_secctx),
-       SELINUX_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
-       SELINUX_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
-       SELINUX_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
-
-       SELINUX_HOOK_INIT(unix_stream_connect, 
selinux_socket_unix_stream_connect),
-       SELINUX_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
-
-       SELINUX_HOOK_INIT(socket_create, selinux_socket_create),
-       SELINUX_HOOK_INIT(socket_post_create, selinux_socket_post_create),
-       SELINUX_HOOK_INIT(socket_bind, selinux_socket_bind),
-       SELINUX_HOOK_INIT(socket_connect, selinux_socket_connect),
-       SELINUX_HOOK_INIT(socket_listen, selinux_socket_listen),
-       SELINUX_HOOK_INIT(socket_accept, selinux_socket_accept),
-       SELINUX_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
-       SELINUX_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
-       SELINUX_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
-       SELINUX_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
-       SELINUX_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
-       SELINUX_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
-       SELINUX_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
-       SELINUX_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
-       SELINUX_HOOK_INIT(socket_getpeersec_stream,
+       LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
+       LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
+       LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
+       LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
+       LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
+
+       LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
+       LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
+       LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
+       LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
+       LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
+
+       LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
+       LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
+       LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
+       LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
+       LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
+
+       LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
+
+       LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
+       LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
+
+       LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
+       LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
+       LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
+       LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
+       LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
+       LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
+       LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
+       LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
+
+       LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
+       LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
+
+       LSM_HOOK_INIT(socket_create, selinux_socket_create),
+       LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
+       LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
+       LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
+       LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
+       LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
+       LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
+       LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
+       LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
+       LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
+       LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
+       LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
+       LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
+       LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
+       LSM_HOOK_INIT(socket_getpeersec_stream,
                        selinux_socket_getpeersec_stream),
-       SELINUX_HOOK_INIT(socket_getpeersec_dgram, 
selinux_socket_getpeersec_dgram),
-       SELINUX_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
-       SELINUX_HOOK_INIT(sk_free_security, selinux_sk_free_security),
-       SELINUX_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
-       SELINUX_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
-       SELINUX_HOOK_INIT(sock_graft, selinux_sock_graft),
-       SELINUX_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
-       SELINUX_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
-       SELINUX_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
-       SELINUX_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
-       SELINUX_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
-       SELINUX_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
-       SELINUX_HOOK_INIT(secmark_relabel_packet, 
selinux_secmark_relabel_packet),
-       SELINUX_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
-       SELINUX_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
-       SELINUX_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
-       SELINUX_HOOK_INIT(tun_dev_alloc_security, 
selinux_tun_dev_alloc_security),
-       SELINUX_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
-       SELINUX_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
-       SELINUX_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
-       SELINUX_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
-       SELINUX_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
+       LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
+       LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
+       LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
+       LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
+       LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
+       LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
+       LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
+       LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
+       LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
+       LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
+       LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
+       LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
+       LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
+       LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
+       LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
+       LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
+       LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
+       LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
+       LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
+       LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
+       LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
+       LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
 #ifdef CONFIG_SECURITY_INFINIBAND
-       SELINUX_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
-       SELINUX_HOOK_INIT(ib_endport_manage_subnet,
+       LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
+       LSM_HOOK_INIT(ib_endport_manage_subnet,
                      selinux_ib_endport_manage_subnet),
-       SELINUX_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
-       SELINUX_HOOK_INIT(ib_free_security, selinux_ib_free_security),
+       LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
+       LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
 #endif
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
-       SELINUX_HOOK_INIT(xfrm_policy_alloc_security, 
selinux_xfrm_policy_alloc),
-       SELINUX_HOOK_INIT(xfrm_policy_clone_security, 
selinux_xfrm_policy_clone),
-       SELINUX_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
-       SELINUX_HOOK_INIT(xfrm_policy_delete_security, 
selinux_xfrm_policy_delete),
-       SELINUX_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
-       SELINUX_HOOK_INIT(xfrm_state_alloc_acquire,
+       LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
+       LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
+       LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
+       LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
+       LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
+       LSM_HOOK_INIT(xfrm_state_alloc_acquire,
                        selinux_xfrm_state_alloc_acquire),
-       SELINUX_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
-       SELINUX_HOOK_INIT(xfrm_state_delete_security, 
selinux_xfrm_state_delete),
-       SELINUX_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
-       SELINUX_HOOK_INIT(xfrm_state_pol_flow_match,
+       LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
+       LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
+       LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
+       LSM_HOOK_INIT(xfrm_state_pol_flow_match,
                        selinux_xfrm_state_pol_flow_match),
-       SELINUX_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
+       LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
 #endif
 
 #ifdef CONFIG_KEYS
-       SELINUX_HOOK_INIT(key_alloc, selinux_key_alloc),
-       SELINUX_HOOK_INIT(key_free, selinux_key_free),
-       SELINUX_HOOK_INIT(key_permission, selinux_key_permission),
-       SELINUX_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
+       LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
+       LSM_HOOK_INIT(key_free, selinux_key_free),
+       LSM_HOOK_INIT(key_permission, selinux_key_permission),
+       LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
 #endif
 
 #ifdef CONFIG_AUDIT
-       SELINUX_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
-       SELINUX_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
-       SELINUX_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
-       SELINUX_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
+       LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
+       LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
+       LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
+       LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
 #endif
 
 #ifdef CONFIG_BPF_SYSCALL
-       SELINUX_HOOK_INIT(bpf, selinux_bpf),
-       SELINUX_HOOK_INIT(bpf_map, selinux_bpf_map),
-       SELINUX_HOOK_INIT(bpf_prog, selinux_bpf_prog),
-       SELINUX_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
-       SELINUX_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
-       SELINUX_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
-       SELINUX_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
+       LSM_HOOK_INIT(bpf, selinux_bpf),
+       LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
+       LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
+       LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
+       LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
+       LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
+       LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
 #endif
 };
 
@@ -7131,7 +7129,8 @@ static __init int selinux_init(void)
 
        hashtab_cache_init();
 
-       security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
+       security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux",
+                          IS_ENABLED(CONFIG_SECURITY_SELINUX_DISABLE));
 
        if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
                panic("SELinux: Unable to register AVC netcache callback\n");
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 0b41483..02b8158 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4623,7 +4623,7 @@ static int smack_dentry_create_files_as(struct dentry 
*dentry, int mode,
        return 0;
 }
 
-static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list smack_hooks[] __ro_after_init = {
        LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check),
        LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme),
        LSM_HOOK_INIT(syslog, smack_syslog),
@@ -4842,7 +4842,8 @@ static __init int smack_init(void)
        /*
         * Register with LSM
         */
-       security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack");
+       security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack",
+                          false);
 
        return 0;
 }
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index 213b8c5..3b8ee5d 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -497,7 +497,7 @@ static int tomoyo_socket_sendmsg(struct socket *sock, 
struct msghdr *msg,
  * tomoyo_security_ops is a "struct security_operations" which is used for
  * registering TOMOYO.
  */
-static struct security_hook_list tomoyo_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list tomoyo_hooks[] __ro_after_init = {
        LSM_HOOK_INIT(cred_alloc_blank, tomoyo_cred_alloc_blank),
        LSM_HOOK_INIT(cred_prepare, tomoyo_cred_prepare),
        LSM_HOOK_INIT(cred_transfer, tomoyo_cred_transfer),
@@ -543,7 +543,8 @@ static int __init tomoyo_init(void)
        if (!security_module_enable("tomoyo"))
                return 0;
        /* register ourselves with the security framework */
-       security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo");
+       security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo",
+                          false);
        printk(KERN_INFO "TOMOYO Linux initialized\n");
        cred->security = &tomoyo_kernel_domain;
        tomoyo_mm_init();
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index ffda91a..21b64a6 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -423,7 +423,7 @@ int yama_ptrace_traceme(struct task_struct *parent)
        return rc;
 }
 
-static struct security_hook_list yama_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list yama_hooks[] __ro_after_init = {
        LSM_HOOK_INIT(ptrace_access_check, yama_ptrace_access_check),
        LSM_HOOK_INIT(ptrace_traceme, yama_ptrace_traceme),
        LSM_HOOK_INIT(task_prctl, yama_task_prctl),
@@ -480,6 +480,6 @@ static inline void yama_init_sysctl(void) { }
 void __init yama_add_hooks(void)
 {
        pr_info("Yama: becoming mindful.\n");
-       security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), "yama");
+       security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), "yama", false);
        yama_init_sysctl();
 }
-- 
1.8.3.1

Re: [PATCH v5 1/1] security: Add mechanism to safely (un)load LSMs after boot time

Reply via email to