[v3,2/9] LSM: Identify the process attributes for each module

Commit Message

Casey Schaufler Nov. 23, 2022, 8:15 p.m. UTC

Add an integer member "attrs_used" to the struct lsm_id which
identifies the API related data associated with each security
module. The initial set of features maps to information that
has traditionaly been available in /proc/self/attr. They are
documented in a new userspace-api file.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 Documentation/userspace-api/index.rst |  1 +
 Documentation/userspace-api/lsm.rst   | 55 +++++++++++++++++++++++++++
 include/linux/lsm_hooks.h             |  2 +
 include/uapi/linux/lsm.h              | 12 ++++++
 security/apparmor/lsm.c               |  1 +
 security/selinux/hooks.c              |  2 +
 security/smack/smack_lsm.c            |  1 +
 7 files changed, 74 insertions(+)
 create mode 100644 Documentation/userspace-api/lsm.rst

Comments

Mickaël Salaün Nov. 25, 2022, 4:41 p.m. UTC | #1

On 23/11/2022 21:15, Casey Schaufler wrote:
> Add an integer member "attrs_used" to the struct lsm_id which
> identifies the API related data associated with each security
> module. The initial set of features maps to information that
> has traditionaly been available in /proc/self/attr. They are
> documented in a new userspace-api file.
> 
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> ---
>   Documentation/userspace-api/index.rst |  1 +
>   Documentation/userspace-api/lsm.rst   | 55 +++++++++++++++++++++++++++
>   include/linux/lsm_hooks.h             |  2 +
>   include/uapi/linux/lsm.h              | 12 ++++++
>   security/apparmor/lsm.c               |  1 +
>   security/selinux/hooks.c              |  2 +
>   security/smack/smack_lsm.c            |  1 +
>   7 files changed, 74 insertions(+)
>   create mode 100644 Documentation/userspace-api/lsm.rst
> 
> diff --git a/Documentation/userspace-api/index.rst b/Documentation/userspace-api/index.rst
> index c78da9ce0ec4..6feff0fcd88f 100644
> --- a/Documentation/userspace-api/index.rst
> +++ b/Documentation/userspace-api/index.rst
> @@ -30,6 +30,7 @@ place where this information is gathered.
>      sysfs-platform_profile
>      vduse
>      futex2
> +   lsm
>   
>   .. only::  subproject and html
>   
> diff --git a/Documentation/userspace-api/lsm.rst b/Documentation/userspace-api/lsm.rst
> new file mode 100644
> index 000000000000..6ddf5506110b
> --- /dev/null
> +++ b/Documentation/userspace-api/lsm.rst
> @@ -0,0 +1,55 @@
> +.. SPDX-License-Identifier: GPL-2.0
> +.. Copyright (C) 2022 Casey Schaufler <casey@schaufler-ca.com>
> +.. Copyright (C) 2022 Intel Corporation
> +
> +=====================================
> +Linux Security Modules
> +=====================================
> +
> +:Author: Casey Schaufler
> +:Date: November 2022
> +
> +Linux security modules (LSM) provide a mechanism to implement
> +additional access controls to the Linux security policies.
> +
> +The various security modules may support any of these attributes:
> +
> +``LSM_ATTR_CURRENT`` is the current, active security context of the
> +process.
> +The proc filesystem provides this value in ``/proc/self/attr/current``.
> +This is supported by the SELinux, Smack and AppArmor security modules.
> +Smack also provides this value in ``/proc/self/attr/smack/current``.
> +AppArmor also provides this value in ``/proc/self/attr/apparmor/current``.
> +
> +``LSM_ATTR_EXEC`` is the security context of the process at the time the
> +current image was executed.
> +The proc filesystem provides this value in ``/proc/self/attr/exec``.
> +This is supported by the SELinux and AppArmor security modules.
> +AppArmor also provides this value in ``/proc/self/attr/apparmor/exec``.
> +
> +``LSM_ATTR_FSCREATE`` is the security context of the process used when
> +creating file system objects.
> +The proc filesystem provides this value in ``/proc/self/attr/fscreate``.
> +This is supported by the SELinux security module.
> +
> +``LSM_ATTR_KEYCREATE`` is the security context of the process used when
> +creating key objects.
> +The proc filesystem provides this value in ``/proc/self/attr/keycreate``.
> +This is supported by the SELinux security module.
> +
> +``LSM_ATTR_PREV`` is the security context of the process at the time the
> +current security context was set.
> +The proc filesystem provides this value in ``/proc/self/attr/prev``.
> +This is supported by the SELinux and AppArmor security modules.
> +AppArmor also provides this value in ``/proc/self/attr/apparmor/prev``.
> +
> +``LSM_ATTR_SOCKCREATE`` is the security context of the process used when
> +creating socket objects.
> +The proc filesystem provides this value in ``/proc/self/attr/sockcreate``.
> +This is supported by the SELinux security module.
> +
> +Additional documentation
> +========================
> +
> +* Documentation/security/lsm.rst
> +* Documentation/security/lsm-development.rst
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index d306db1044d1..7e88acc37a29 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -1606,12 +1606,14 @@ struct security_hook_heads {
>    * struct lsm_id - identify a Linux Security Module.
>    * @lsm: Name of the LSM. Must be approved by the LSM maintainers.
>    * @id: LSM ID number from uapi/linux/lsm.h
> + * @attrs_used: Which attributes this LSM supports.
>    *
>    * Contains the information that identifies the LSM.
>    */
>   struct lsm_id {
>   	const u8	*lsm;
>   	u32		id;
> +	u64		attrs_used;

I'd prefer this field to be part of the previous patch. This doesn't 
change much but it is to highlight that the struct lsm_id size should 
not change unless properly handled by userspace.


>   };
>   
>   /*
> diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
> index 47791c330cbf..8e9124bf622c 100644
> --- a/include/uapi/linux/lsm.h
> +++ b/include/uapi/linux/lsm.h
> @@ -29,4 +29,16 @@
>   #define LSM_ID_BPF		110
>   #define LSM_ID_LANDLOCK		111
>   
> +/*
> + * LSM_ATTR_XXX values identify the /proc/.../attr entry that the
> + * context represents. Not all security modules provide all of these
> + * values. Some security modules provide none of them.
> + */
> +#define LSM_ATTR_CURRENT	0x0001
> +#define LSM_ATTR_EXEC		0x0002
> +#define LSM_ATTR_FSCREATE	0x0004
> +#define LSM_ATTR_KEYCREATE	0x0008
> +#define LSM_ATTR_PREV		0x0010
> +#define LSM_ATTR_SOCKCREATE	0x0020
> +
>   #endif /* _UAPI_LINUX_LSM_H */
> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> index b859b1af6c75..3a6bf4f95d84 100644
> --- a/security/apparmor/lsm.c
> +++ b/security/apparmor/lsm.c
> @@ -1206,6 +1206,7 @@ struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = {
>   static struct lsm_id apparmor_lsmid __lsm_ro_after_init = {
>   	.lsm = "apparmor",
>   	.id = LSM_ID_APPARMOR,
> +	.attrs_used = LSM_ATTR_CURRENT | LSM_ATTR_PREV | LSM_ATTR_EXEC,
>   };
>   
>   static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 5fcce36267bd..e831d9c38c54 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -7018,6 +7018,8 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
>   static struct lsm_id selinux_lsmid __lsm_ro_after_init = {
>   	.lsm = "selinux",
>   	.id = LSM_ID_SELINUX,
> +	.attrs_used = LSM_ATTR_CURRENT | LSM_ATTR_EXEC | LSM_ATTR_FSCREATE |
> +		      LSM_ATTR_KEYCREATE | LSM_ATTR_PREV | LSM_ATTR_SOCKCREATE,
>   };
>   
>   /*
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index c7ba80e20b8d..c2a05217bde4 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -4791,6 +4791,7 @@ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = {
>   static struct lsm_id smack_lsmid __lsm_ro_after_init = {
>   	.lsm = "smack",
>   	.id = LSM_ID_SMACK,
> +	.attrs_used = LSM_ATTR_CURRENT,
>   };
>   
>   static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {

Casey Schaufler Nov. 25, 2022, 6:27 p.m. UTC | #2

On 11/25/2022 8:41 AM, Mickaël Salaün wrote:
>
> On 23/11/2022 21:15, Casey Schaufler wrote:
>> Add an integer member "attrs_used" to the struct lsm_id which
>> identifies the API related data associated with each security
>> module. The initial set of features maps to information that
>> has traditionaly been available in /proc/self/attr. They are
>> documented in a new userspace-api file.
>>
>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>> ---
>>   Documentation/userspace-api/index.rst |  1 +
>>   Documentation/userspace-api/lsm.rst   | 55 +++++++++++++++++++++++++++
>>   include/linux/lsm_hooks.h             |  2 +
>>   include/uapi/linux/lsm.h              | 12 ++++++
>>   security/apparmor/lsm.c               |  1 +
>>   security/selinux/hooks.c              |  2 +
>>   security/smack/smack_lsm.c            |  1 +
>>   7 files changed, 74 insertions(+)
>>   create mode 100644 Documentation/userspace-api/lsm.rst
>>
>> diff --git a/Documentation/userspace-api/index.rst
>> b/Documentation/userspace-api/index.rst
>> index c78da9ce0ec4..6feff0fcd88f 100644
>> --- a/Documentation/userspace-api/index.rst
>> +++ b/Documentation/userspace-api/index.rst
>> @@ -30,6 +30,7 @@ place where this information is gathered.
>>      sysfs-platform_profile
>>      vduse
>>      futex2
>> +   lsm
>>     .. only::  subproject and html
>>   diff --git a/Documentation/userspace-api/lsm.rst
>> b/Documentation/userspace-api/lsm.rst
>> new file mode 100644
>> index 000000000000..6ddf5506110b
>> --- /dev/null
>> +++ b/Documentation/userspace-api/lsm.rst
>> @@ -0,0 +1,55 @@
>> +.. SPDX-License-Identifier: GPL-2.0
>> +.. Copyright (C) 2022 Casey Schaufler <casey@schaufler-ca.com>
>> +.. Copyright (C) 2022 Intel Corporation
>> +
>> +=====================================
>> +Linux Security Modules
>> +=====================================
>> +
>> +:Author: Casey Schaufler
>> +:Date: November 2022
>> +
>> +Linux security modules (LSM) provide a mechanism to implement
>> +additional access controls to the Linux security policies.
>> +
>> +The various security modules may support any of these attributes:
>> +
>> +``LSM_ATTR_CURRENT`` is the current, active security context of the
>> +process.
>> +The proc filesystem provides this value in ``/proc/self/attr/current``.
>> +This is supported by the SELinux, Smack and AppArmor security modules.
>> +Smack also provides this value in ``/proc/self/attr/smack/current``.
>> +AppArmor also provides this value in
>> ``/proc/self/attr/apparmor/current``.
>> +
>> +``LSM_ATTR_EXEC`` is the security context of the process at the time
>> the
>> +current image was executed.
>> +The proc filesystem provides this value in ``/proc/self/attr/exec``.
>> +This is supported by the SELinux and AppArmor security modules.
>> +AppArmor also provides this value in ``/proc/self/attr/apparmor/exec``.
>> +
>> +``LSM_ATTR_FSCREATE`` is the security context of the process used when
>> +creating file system objects.
>> +The proc filesystem provides this value in
>> ``/proc/self/attr/fscreate``.
>> +This is supported by the SELinux security module.
>> +
>> +``LSM_ATTR_KEYCREATE`` is the security context of the process used when
>> +creating key objects.
>> +The proc filesystem provides this value in
>> ``/proc/self/attr/keycreate``.
>> +This is supported by the SELinux security module.
>> +
>> +``LSM_ATTR_PREV`` is the security context of the process at the time
>> the
>> +current security context was set.
>> +The proc filesystem provides this value in ``/proc/self/attr/prev``.
>> +This is supported by the SELinux and AppArmor security modules.
>> +AppArmor also provides this value in ``/proc/self/attr/apparmor/prev``.
>> +
>> +``LSM_ATTR_SOCKCREATE`` is the security context of the process used
>> when
>> +creating socket objects.
>> +The proc filesystem provides this value in
>> ``/proc/self/attr/sockcreate``.
>> +This is supported by the SELinux security module.
>> +
>> +Additional documentation
>> +========================
>> +
>> +* Documentation/security/lsm.rst
>> +* Documentation/security/lsm-development.rst
>> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
>> index d306db1044d1..7e88acc37a29 100644
>> --- a/include/linux/lsm_hooks.h
>> +++ b/include/linux/lsm_hooks.h
>> @@ -1606,12 +1606,14 @@ struct security_hook_heads {
>>    * struct lsm_id - identify a Linux Security Module.
>>    * @lsm: Name of the LSM. Must be approved by the LSM maintainers.
>>    * @id: LSM ID number from uapi/linux/lsm.h
>> + * @attrs_used: Which attributes this LSM supports.
>>    *
>>    * Contains the information that identifies the LSM.
>>    */
>>   struct lsm_id {
>>       const u8    *lsm;
>>       u32        id;
>> +    u64        attrs_used;
>
> I'd prefer this field to be part of the previous patch. This doesn't
> change much but it is to highlight that the struct lsm_id size should
> not change unless properly handled by userspace.

Sigh. Given my druthers there would be a lot fewer, but somewhat larger, patches
in this set. I will happily make this change, but fear reprisal from those who
want a bizzilion tiny patches. (You know who you are) Also note that this is not
an externally visible structure, and that the lsm_ctx structure that is user
visible hasn't been introduced yet.

>
>
>>   };
>>     /*
>> diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
>> index 47791c330cbf..8e9124bf622c 100644
>> --- a/include/uapi/linux/lsm.h
>> +++ b/include/uapi/linux/lsm.h
>> @@ -29,4 +29,16 @@
>>   #define LSM_ID_BPF        110
>>   #define LSM_ID_LANDLOCK        111
>>   +/*
>> + * LSM_ATTR_XXX values identify the /proc/.../attr entry that the
>> + * context represents. Not all security modules provide all of these
>> + * values. Some security modules provide none of them.
>> + */
>> +#define LSM_ATTR_CURRENT    0x0001
>> +#define LSM_ATTR_EXEC        0x0002
>> +#define LSM_ATTR_FSCREATE    0x0004
>> +#define LSM_ATTR_KEYCREATE    0x0008
>> +#define LSM_ATTR_PREV        0x0010
>> +#define LSM_ATTR_SOCKCREATE    0x0020
>> +
>>   #endif /* _UAPI_LINUX_LSM_H */
>> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
>> index b859b1af6c75..3a6bf4f95d84 100644
>> --- a/security/apparmor/lsm.c
>> +++ b/security/apparmor/lsm.c
>> @@ -1206,6 +1206,7 @@ struct lsm_blob_sizes apparmor_blob_sizes
>> __lsm_ro_after_init = {
>>   static struct lsm_id apparmor_lsmid __lsm_ro_after_init = {
>>       .lsm = "apparmor",
>>       .id = LSM_ID_APPARMOR,
>> +    .attrs_used = LSM_ATTR_CURRENT | LSM_ATTR_PREV | LSM_ATTR_EXEC,
>>   };
>>     static struct security_hook_list apparmor_hooks[]
>> __lsm_ro_after_init = {
>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index 5fcce36267bd..e831d9c38c54 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -7018,6 +7018,8 @@ static int selinux_uring_cmd(struct
>> io_uring_cmd *ioucmd)
>>   static struct lsm_id selinux_lsmid __lsm_ro_after_init = {
>>       .lsm = "selinux",
>>       .id = LSM_ID_SELINUX,
>> +    .attrs_used = LSM_ATTR_CURRENT | LSM_ATTR_EXEC |
>> LSM_ATTR_FSCREATE |
>> +              LSM_ATTR_KEYCREATE | LSM_ATTR_PREV | LSM_ATTR_SOCKCREATE,
>>   };
>>     /*
>> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
>> index c7ba80e20b8d..c2a05217bde4 100644
>> --- a/security/smack/smack_lsm.c
>> +++ b/security/smack/smack_lsm.c
>> @@ -4791,6 +4791,7 @@ struct lsm_blob_sizes smack_blob_sizes
>> __lsm_ro_after_init = {
>>   static struct lsm_id smack_lsmid __lsm_ro_after_init = {
>>       .lsm = "smack",
>>       .id = LSM_ID_SMACK,
>> +    .attrs_used = LSM_ATTR_CURRENT,
>>   };
>>     static struct security_hook_list smack_hooks[]
>> __lsm_ro_after_init = {

Patch

diff --git a/Documentation/userspace-api/index.rst b/Documentation/userspace-api/index.rst
index c78da9ce0ec4..6feff0fcd88f 100644
--- a/Documentation/userspace-api/index.rst
+++ b/Documentation/userspace-api/index.rst
@@ -30,6 +30,7 @@  place where this information is gathered.
    sysfs-platform_profile
    vduse
    futex2
+   lsm
 
 .. only::  subproject and html
 
diff --git a/Documentation/userspace-api/lsm.rst b/Documentation/userspace-api/lsm.rst
new file mode 100644
index 000000000000..6ddf5506110b
--- /dev/null
+++ b/Documentation/userspace-api/lsm.rst
@@ -0,0 +1,55 @@ 
+.. SPDX-License-Identifier: GPL-2.0
+.. Copyright (C) 2022 Casey Schaufler <casey@schaufler-ca.com>
+.. Copyright (C) 2022 Intel Corporation
+
+=====================================
+Linux Security Modules
+=====================================
+
+:Author: Casey Schaufler
+:Date: November 2022
+
+Linux security modules (LSM) provide a mechanism to implement
+additional access controls to the Linux security policies.
+
+The various security modules may support any of these attributes:
+
+``LSM_ATTR_CURRENT`` is the current, active security context of the
+process.
+The proc filesystem provides this value in ``/proc/self/attr/current``.
+This is supported by the SELinux, Smack and AppArmor security modules.
+Smack also provides this value in ``/proc/self/attr/smack/current``.
+AppArmor also provides this value in ``/proc/self/attr/apparmor/current``.
+
+``LSM_ATTR_EXEC`` is the security context of the process at the time the
+current image was executed.
+The proc filesystem provides this value in ``/proc/self/attr/exec``.
+This is supported by the SELinux and AppArmor security modules.
+AppArmor also provides this value in ``/proc/self/attr/apparmor/exec``.
+
+``LSM_ATTR_FSCREATE`` is the security context of the process used when
+creating file system objects.
+The proc filesystem provides this value in ``/proc/self/attr/fscreate``.
+This is supported by the SELinux security module.
+
+``LSM_ATTR_KEYCREATE`` is the security context of the process used when
+creating key objects.
+The proc filesystem provides this value in ``/proc/self/attr/keycreate``.
+This is supported by the SELinux security module.
+
+``LSM_ATTR_PREV`` is the security context of the process at the time the
+current security context was set.
+The proc filesystem provides this value in ``/proc/self/attr/prev``.
+This is supported by the SELinux and AppArmor security modules.
+AppArmor also provides this value in ``/proc/self/attr/apparmor/prev``.
+
+``LSM_ATTR_SOCKCREATE`` is the security context of the process used when
+creating socket objects.
+The proc filesystem provides this value in ``/proc/self/attr/sockcreate``.
+This is supported by the SELinux security module.
+
+Additional documentation
+========================
+
+* Documentation/security/lsm.rst
+* Documentation/security/lsm-development.rst
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index d306db1044d1..7e88acc37a29 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1606,12 +1606,14 @@  struct security_hook_heads {
  * struct lsm_id - identify a Linux Security Module.
  * @lsm: Name of the LSM. Must be approved by the LSM maintainers.
  * @id: LSM ID number from uapi/linux/lsm.h
+ * @attrs_used: Which attributes this LSM supports.
  *
  * Contains the information that identifies the LSM.
  */
 struct lsm_id {
 	const u8	*lsm;
 	u32		id;
+	u64		attrs_used;
 };
 
 /*
diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
index 47791c330cbf..8e9124bf622c 100644
--- a/include/uapi/linux/lsm.h
+++ b/include/uapi/linux/lsm.h
@@ -29,4 +29,16 @@ 
 #define LSM_ID_BPF		110
 #define LSM_ID_LANDLOCK		111
 
+/*
+ * LSM_ATTR_XXX values identify the /proc/.../attr entry that the
+ * context represents. Not all security modules provide all of these
+ * values. Some security modules provide none of them.
+ */
+#define LSM_ATTR_CURRENT	0x0001
+#define LSM_ATTR_EXEC		0x0002
+#define LSM_ATTR_FSCREATE	0x0004
+#define LSM_ATTR_KEYCREATE	0x0008
+#define LSM_ATTR_PREV		0x0010
+#define LSM_ATTR_SOCKCREATE	0x0020
+
 #endif /* _UAPI_LINUX_LSM_H */
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index b859b1af6c75..3a6bf4f95d84 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1206,6 +1206,7 @@  struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = {
 static struct lsm_id apparmor_lsmid __lsm_ro_after_init = {
 	.lsm = "apparmor",
 	.id = LSM_ID_APPARMOR,
+	.attrs_used = LSM_ATTR_CURRENT | LSM_ATTR_PREV | LSM_ATTR_EXEC,
 };
 
 static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5fcce36267bd..e831d9c38c54 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -7018,6 +7018,8 @@  static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
 static struct lsm_id selinux_lsmid __lsm_ro_after_init = {
 	.lsm = "selinux",
 	.id = LSM_ID_SELINUX,
+	.attrs_used = LSM_ATTR_CURRENT | LSM_ATTR_EXEC | LSM_ATTR_FSCREATE |
+		      LSM_ATTR_KEYCREATE | LSM_ATTR_PREV | LSM_ATTR_SOCKCREATE,
 };
 
 /*
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index c7ba80e20b8d..c2a05217bde4 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4791,6 +4791,7 @@  struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = {
 static struct lsm_id smack_lsmid __lsm_ro_after_init = {
 	.lsm = "smack",
 	.id = LSM_ID_SMACK,
+	.attrs_used = LSM_ATTR_CURRENT,
 };
 
 static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {