On Wed, Apr 09, 2025 at 02:49:52PM -0400, Paul Moore wrote: > Move the LSM count and lsm_id list declarations out of a header that is > visible across the kernel and into a header that is limited to the LSM > framework. This not only helps keep the include/linux headers smaller > and cleaner, it helps prevent misuse of these variables.
Yay for private headers! > During the move, lsm_active_cnt was renamed to lsm_count for the sake > of brevity. I would echo Casey's comment. Other places deal with a count based on the compile-in count of "all" LSMs. This one is for the active list. If you really want two words, perhaps "lsms_active"? > > Signed-off-by: Paul Moore <[email protected]> > --- > include/linux/security.h | 2 -- > security/lsm.h | 5 +++++ > security/lsm_init.c | 8 +------- > security/lsm_syscalls.c | 8 +++++--- > security/security.c | 3 +++ > 5 files changed, 14 insertions(+), 12 deletions(-) > > diff --git a/include/linux/security.h b/include/linux/security.h > index cc9b54d95d22..8aac21787a9f 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -167,8 +167,6 @@ struct lsm_prop { > }; > > extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1]; > -extern u32 lsm_active_cnt; > -extern const struct lsm_id *lsm_idlist[]; > > /* These functions are in security/commoncap.c */ > extern int cap_capable(const struct cred *cred, struct user_namespace *ns, > diff --git a/security/lsm.h b/security/lsm.h > index 0e1731bad4a7..af343072199d 100644 > --- a/security/lsm.h > +++ b/security/lsm.h > @@ -7,6 +7,11 @@ > #define _LSM_H_ > > #include <linux/lsm_hooks.h> > +#include <linux/lsm_count.h> > + > +/* List of configured LSMs */ > +extern unsigned int lsm_count; > +extern const struct lsm_id *lsm_idlist[]; > > /* LSM blob configuration */ > extern struct lsm_blob_sizes blob_sizes; > diff --git a/security/lsm_init.c b/security/lsm_init.c > index edf2f4140eaa..981ddb20f48e 100644 > --- a/security/lsm_init.c > +++ b/security/lsm_init.c > @@ -22,8 +22,8 @@ static __initdata const char *lsm_order_cmdline; > static __initdata const char *lsm_order_legacy; > > /* Ordered list of LSMs to initialize. */ > -static __initdata struct lsm_info *lsm_order[MAX_LSM_COUNT + 1]; > static __initdata struct lsm_info *lsm_exclusive; > +static __initdata struct lsm_info *lsm_order[MAX_LSM_COUNT + 1]; I don't care either way, but why re-order these? Just local reverse xmas-tree? -- Kees Cook
