LSM: Convert security_initcall() into DEFINE_LSM()

Instead of using argument-based initializers, switch to defining the
contents of struct lsm_info on a per-LSM basis. This also drops
the final use of the now inaccurate "initcall" naming.

Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: James Morris <james.morris@microsoft.com>
Signed-off-by: James Morris <james.morris@microsoft.com>

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index d13059feca0939f04792169a787afbf920a0efec..9c6b4198ff5aaa42b8a8438d73a0147cfed27c39 100644 (file)
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -2045,11 +2045,10 @@ struct lsm_info {
 
 extern struct lsm_info __start_lsm_info[], __end_lsm_info[];
 
-#define security_initcall(lsm)                                         \
+#define DEFINE_LSM(lsm)                                                        \
        static struct lsm_info __lsm_##lsm                              \
                __used __section(.lsm_info.init)                        \
-               __aligned(sizeof(unsigned long))                        \
-               = { .init = lsm, }
+               __aligned(sizeof(unsigned long))
 
 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
 /*

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 8b8b70620bbe753e35db3fe5e679334dab8ebb83..c4863956c832fabf8f4aac2a433dc48fe189d307 100644 (file)
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1606,4 +1606,6 @@ alloc_out:
        return error;
 }
 
-security_initcall(apparmor_init);
+DEFINE_LSM(apparmor) = {
+       .init = apparmor_init,
+};

diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 70d21b566955445cb28ce85632bd630650dd22d9..94e8e18207483ff494695e14044056863a21a667 100644 (file)
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -175,7 +175,9 @@ static int __init integrity_iintcache_init(void)
                              0, SLAB_PANIC, init_once);
        return 0;
 }
-security_initcall(integrity_iintcache_init);
+DEFINE_LSM(integrity) = {
+       .init = integrity_iintcache_init,
+};
 
 
 /*

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ad9a9b8e997941640b6de40fd9af4a1b17f39d04..6ca2e89ddbd6abef7414f90d3455e9ee79878343 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -7202,7 +7202,9 @@ void selinux_complete_init(void)
 
 /* SELinux requires early initialization in order to label
    all processes and objects when they are created. */
-security_initcall(selinux_init);
+DEFINE_LSM(selinux) = {
+       .init = selinux_init,
+};
 
 #if defined(CONFIG_NETFILTER)
 

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 340fc30ad85d7546dcb59b1f68afe286aed1cbba..c62e26939a698ab972ca6e4c72ee490f13b1159f 100644 (file)
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4882,4 +4882,6 @@ static __init int smack_init(void)
  * Smack requires early initialization in order to label
  * all processes and objects when they are created.
  */
-security_initcall(smack_init);
+DEFINE_LSM(smack) = {
+       .init = smack_init,
+};

diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index 9f932e2d68521c2da50be376cb41c51d700425f4..b2d833999910fb75bb9a853471a8aec7f1aae93b 100644 (file)
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -550,4 +550,6 @@ static int __init tomoyo_init(void)
        return 0;
 }
 
-security_initcall(tomoyo_init);
+DEFINE_LSM(tomoyo) = {
+       .init = tomoyo_init,
+};