diff mbox series

[4/4] LSM: Add a LSM module which handles dynamically appendable LSM hooks.

Message ID 34be5cd8-1fdd-4323-82a3-40f2e7d35db3@I-love.SAKURA.ne.jp (mailing list archive)
State Rejected
Delegated to: Paul Moore
Headers show
Series LSM: Officially support appending LSM hooks after boot. | expand

Commit Message

Tetsuo Handa Nov. 20, 2023, 1:30 p.m. UTC
TOMOYO security module will use this functionality.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 include/linux/lsm_hooks.h |   9 +
 security/Makefile         |   2 +-
 security/mod_lsm.c        | 321 ++++++++++++++++
 security/security.c       | 752 ++------------------------------------
 4 files changed, 359 insertions(+), 725 deletions(-)
 create mode 100644 security/mod_lsm.c

Comments

kernel test robot Nov. 20, 2023, 10:28 p.m. UTC | #1
Hi Tetsuo,

kernel test robot noticed the following build warnings:

[auto build test WARNING on bpf/master]
[also build test WARNING on pcmoore-audit/next pcmoore-selinux/next linus/master v6.7-rc2]
[cannot apply to bpf-next/master next-20231120]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Tetsuo-Handa/LSM-Auto-undef-LSM_HOOK-macro/20231120-214522
base:   https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git master
patch link:    https://lore.kernel.org/r/34be5cd8-1fdd-4323-82a3-40f2e7d35db3%40I-love.SAKURA.ne.jp
patch subject: [PATCH 4/4] LSM: Add a LSM module which handles dynamically appendable LSM hooks.
config: arm64-randconfig-002-20231121 (https://download.01.org/0day-ci/archive/20231121/202311210652.jzysT4DZ-lkp@intel.com/config)
compiler: aarch64-linux-gcc (GCC) 13.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20231121/202311210652.jzysT4DZ-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202311210652.jzysT4DZ-lkp@intel.com/

All warnings (new ones prefixed by >>):

>> security/security.c:822: warning: Incorrect use of kernel-doc format:  * security_binder_transaction() - Check if a binder transaction is allowed
>> security/security.c:832: warning: Incorrect use of kernel-doc format:  * security_binder_transfer_binder() - Check if a binder transfer is allowed
>> security/security.c:842: warning: Incorrect use of kernel-doc format:  * security_binder_transfer_file() - Check if a binder file xfer is allowed
>> security/security.c:853: warning: Incorrect use of kernel-doc format:  * security_ptrace_access_check() - Check if tracing is allowed
>> security/security.c:868: warning: Incorrect use of kernel-doc format:  * security_ptrace_traceme() - Check if tracing is allowed
>> security/security.c:879: warning: Incorrect use of kernel-doc format:  * security_capget() - Get the capability sets for a process
>> security/security.c:894: warning: Incorrect use of kernel-doc format:  * security_capset() - Set the capability sets for a process
>> security/security.c:908: warning: Incorrect use of kernel-doc format:  * security_capable() - Check if a process has the necessary capability
>> security/security.c:922: warning: Incorrect use of kernel-doc format:  * security_quotactl() - Check if a quotactl() syscall is allowed for this fs
>> security/security.c:934: warning: Incorrect use of kernel-doc format:  * security_quota_on() - Check if QUOTAON is allowed for a dentry
>> security/security.c:943: warning: Incorrect use of kernel-doc format:  * security_syslog() - Check if accessing the kernel message ring is allowed
>> security/security.c:954: warning: Incorrect use of kernel-doc format:  * security_settime64() - Check if changing the system time is allowed
>> security/security.c:964: warning: Function parameter or member 'ts' not described in 'security_settime64'
>> security/security.c:964: warning: Function parameter or member 'tz' not described in 'security_settime64'
>> security/security.c:964: warning: expecting prototype for security_binder_set_context_mgr(). Prototype was for security_settime64() instead
>> security/security.c:1020: warning: Incorrect use of kernel-doc format:  * security_bprm_creds_from_file() - Update linux_binprm creds based on file
>> security/security.c:1040: warning: Incorrect use of kernel-doc format:  * security_bprm_check() - Mediate binary handler search
>> security/security.c:1052: warning: expecting prototype for security_bprm_creds_for_exec(). Prototype was for security_bprm_check() instead
>> security/security.c:1075: warning: Incorrect use of kernel-doc format:  * security_bprm_committed_creds() - Tidy up after cred install during exec()
>> security/security.c:1087: warning: Incorrect use of kernel-doc format:  * security_fs_context_submount() - Initialise fc->security
   security/security.c:1097: warning: Incorrect use of kernel-doc format:  * security_fs_context_dup() - Duplicate a fs_context LSM blob
   security/security.c:1109: warning: Incorrect use of kernel-doc format:  * security_fs_context_parse_param() - Configure a filesystem context
   security/security.c:1122: warning: Function parameter or member 'fc' not described in 'security_fs_context_parse_param'
   security/security.c:1122: warning: Function parameter or member 'param' not described in 'security_fs_context_parse_param'
   security/security.c:1122: warning: expecting prototype for security_bprm_committing_creds(). Prototype was for security_fs_context_parse_param() instead
   security/security.c:1169: warning: Incorrect use of kernel-doc format:  * security_sb_free() - Free a super_block LSM blob
   security/security.c:1176: warning: expecting prototype for security_sb_delete(). Prototype was for security_sb_free() instead
   security/security.c:1206: warning: Function parameter or member 'security_sb_eat_lsm_opts' not described in 'EXPORT_SYMBOL'
   security/security.c:1206: warning: expecting prototype for security_sb_eat_lsm_opts(). Prototype was for EXPORT_SYMBOL() instead
   security/security.c:1218: warning: Function parameter or member 'security_sb_mnt_opts_compat' not described in 'EXPORT_SYMBOL'
   security/security.c:1218: warning: expecting prototype for security_sb_mnt_opts_compat(). Prototype was for EXPORT_SYMBOL() instead
   security/security.c:1230: warning: Function parameter or member 'security_sb_remount' not described in 'EXPORT_SYMBOL'
   security/security.c:1230: warning: expecting prototype for security_sb_remount(). Prototype was for EXPORT_SYMBOL() instead
   security/security.c:1242: warning: Incorrect use of kernel-doc format:  * security_sb_show_options() - Output the mount options for a superblock
   security/security.c:1252: warning: Incorrect use of kernel-doc format:  * security_sb_statfs() - Check if accessing fs stats is allowed
   security/security.c:1262: warning: Incorrect use of kernel-doc format:  * security_sb_mount() - Check permission for mounting a filesystem
   security/security.c:1280: warning: Incorrect use of kernel-doc format:  * security_sb_umount() - Check permission for unmounting a filesystem
   security/security.c:1290: warning: Incorrect use of kernel-doc format:  * security_sb_pivotroot() - Check permissions for pivoting the rootfs
   security/security.c:1300: warning: Incorrect use of kernel-doc format:  * security_sb_set_mnt_opts() - Set the mount options for a filesystem
   security/security.c:1314: warning: Function parameter or member 'mnt_opts' not described in 'security_sb_set_mnt_opts'
   security/security.c:1314: warning: Function parameter or member 'kern_flags' not described in 'security_sb_set_mnt_opts'
   security/security.c:1314: warning: Function parameter or member 'set_kern_flags' not described in 'security_sb_set_mnt_opts'
   security/security.c:1314: warning: expecting prototype for security_sb_kern_mount(). Prototype was for security_sb_set_mnt_opts() instead
   security/security.c:1332: warning: Function parameter or member 'security_sb_clone_mnt_opts' not described in 'EXPORT_SYMBOL'
   security/security.c:1332: warning: expecting prototype for security_sb_clone_mnt_opts(). Prototype was for EXPORT_SYMBOL() instead
   security/security.c:1345: warning: Incorrect use of kernel-doc format:  * security_path_notify() - Check if setting a watch is allowed
   security/security.c:1357: warning: Incorrect use of kernel-doc format:  * security_inode_alloc() - Allocate an inode LSM blob
   security/security.c:1367: warning: Function parameter or member 'inode' not described in 'security_inode_alloc'
   security/security.c:1367: warning: expecting prototype for security_move_mount(). Prototype was for security_inode_alloc() instead
   security/security.c:1425: warning: Function parameter or member 'security_dentry_init_security' not described in 'EXPORT_SYMBOL'
   security/security.c:1425: warning: expecting prototype for security_dentry_init_security(). Prototype was for EXPORT_SYMBOL() instead
   security/security.c:1442: warning: Function parameter or member 'security_dentry_create_files_as' not described in 'EXPORT_SYMBOL'
   security/security.c:1442: warning: expecting prototype for security_dentry_create_files_as(). Prototype was for EXPORT_SYMBOL() instead
   security/security.c:1539: warning: Incorrect use of kernel-doc format:  * security_path_mknod() - Check if creating a special file is allowed
   security/security.c:1552: warning: Function parameter or member 'dir' not described in 'security_path_mknod'
   security/security.c:1552: warning: Function parameter or member 'dentry' not described in 'security_path_mknod'
   security/security.c:1552: warning: Function parameter or member 'mode' not described in 'security_path_mknod'
   security/security.c:1552: warning: Function parameter or member 'dev' not described in 'security_path_mknod'
   security/security.c:1552: warning: expecting prototype for security_inode_init_security_anon(). Prototype was for security_path_mknod() instead
   security/security.c:1736: warning: Incorrect use of kernel-doc format:  * security_inode_create() - Check if creating a file is allowed
   security/security.c:1747: warning: Function parameter or member 'dir' not described in 'security_inode_create'
   security/security.c:1747: warning: Function parameter or member 'dentry' not described in 'security_inode_create'
   security/security.c:1747: warning: Function parameter or member 'mode' not described in 'security_inode_create'
   security/security.c:1747: warning: expecting prototype for security_path_chroot(). Prototype was for security_inode_create() instead
   security/security.c:2204: warning: Incorrect use of kernel-doc format:  * security_inode_killpriv() - The setuid bit is removed, update LSM state
   security/security.c:2216: warning: Incorrect use of kernel-doc format:  * security_inode_getsecurity() - Get the xattr security label of an inode
   security/security.c:2234: warning: Function parameter or member 'idmap' not described in 'security_inode_getsecurity'
   security/security.c:2234: warning: Function parameter or member 'inode' not described in 'security_inode_getsecurity'
   security/security.c:2234: warning: Function parameter or member 'name' not described in 'security_inode_getsecurity'
   security/security.c:2234: warning: Function parameter or member 'buffer' not described in 'security_inode_getsecurity'
   security/security.c:2234: warning: Function parameter or member 'alloc' not described in 'security_inode_getsecurity'
   security/security.c:2234: warning: expecting prototype for security_inode_need_killpriv(). Prototype was for security_inode_getsecurity() instead
   security/security.c:2319: warning: Incorrect use of kernel-doc format:  * security_inode_copy_up() - Create new creds for an overlayfs copy-up op
   security/security.c:2330: warning: Function parameter or member 'security_inode_copy_up' not described in 'EXPORT_SYMBOL'
   security/security.c:2330: warning: expecting prototype for security_inode_getsecid(). Prototype was for EXPORT_SYMBOL() instead
   security/security.c:2377: warning: Incorrect use of kernel-doc format:  * security_file_permission() - Check file permissions
   security/security.c:2396: warning: Function parameter or member 'file' not described in 'security_file_permission'
   security/security.c:2396: warning: Function parameter or member 'mask' not described in 'security_file_permission'
   security/security.c:2396: warning: expecting prototype for security_kernfs_init_security(). Prototype was for security_file_permission() instead
   security/security.c:2459: warning: Function parameter or member 'security_file_ioctl' not described in 'EXPORT_SYMBOL_GPL'
   security/security.c:2459: warning: expecting prototype for security_file_ioctl(). Prototype was for EXPORT_SYMBOL_GPL() instead
   security/security.c:2527: warning: Incorrect use of kernel-doc format:  * security_file_mprotect() - Check if changing memory protections is allowed
   security/security.c:2538: warning: Function parameter or member 'vma' not described in 'security_file_mprotect'
   security/security.c:2538: warning: Function parameter or member 'reqprot' not described in 'security_file_mprotect'
   security/security.c:2538: warning: Function parameter or member 'prot' not described in 'security_file_mprotect'
   security/security.c:2538: warning: expecting prototype for security_mmap_addr(). Prototype was for security_file_mprotect() instead
   security/security.c:2559: warning: Incorrect use of kernel-doc format:  * security_file_fcntl() - Check if fcntl() op is allowed
   security/security.c:2574: warning: Incorrect use of kernel-doc format:  * security_file_set_fowner() - Set the file owner info in the LSM blob
   security/security.c:2584: warning: Incorrect use of kernel-doc format:  * security_file_send_sigiotask() - Check if sending SIGIO/SIGURG is allowed
   security/security.c:2599: warning: Incorrect use of kernel-doc format:  * security_file_receive() - Check is receiving a file via IPC is allowed
   security/security.c:2609: warning: Incorrect use of kernel-doc format:  * security_file_open() - Save open() time state for late use by the LSM
   security/security.c:2618: warning: expecting prototype for security_file_lock(). Prototype was for security_file_open() instead
   security/security.c:2640: warning: Incorrect use of kernel-doc format:  * security_task_alloc() - Allocate a task's LSM blob
   security/security.c:2649: warning: Function parameter or member 'task' not described in 'security_task_alloc'
   security/security.c:2649: warning: Function parameter or member 'clone_flags' not described in 'security_task_alloc'
   security/security.c:2649: warning: expecting prototype for security_file_truncate(). Prototype was for security_task_alloc() instead
   security/security.c:2781: warning: Incorrect use of kernel-doc format:  * security_kernel_create_files_as() - Set file creation context using an inode
   security/security.c:2793: warning: Incorrect use of kernel-doc format:  * security_kernel_module_request() - Check is loading a module is allowed
   security/security.c:2802: warning: Function parameter or member 'kmod_name' not described in 'security_kernel_module_request'
   security/security.c:2802: warning: expecting prototype for security_kernel_act_as(). Prototype was for security_kernel_module_request() instead
   security/security.c:2922: warning: Incorrect use of kernel-doc format:  * security_task_fix_setgid() - Update LSM with new group id attributes
   security/security.c:2937: warning: Incorrect use of kernel-doc format:  * security_task_fix_setgroups() - Update LSM with new supplementary groups
   security/security.c:2950: warning: Incorrect use of kernel-doc format:  * security_task_setpgid() - Check if setting the pgid is allowed
   security/security.c:2961: warning: Incorrect use of kernel-doc format:  * security_task_getpgid() - Check if getting the pgid is allowed
   security/security.c:2971: warning: Incorrect use of kernel-doc format:  * security_task_getsid() - Check if getting the session id is allowed
   security/security.c:2980: warning: Incorrect use of kernel-doc format:  * security_current_getsecid_subj() - Get the current task's subjective secid
   security/security.c:2987: warning: Function parameter or member 'secid' not described in 'security_current_getsecid_subj'
   security/security.c:2987: warning: expecting prototype for security_task_fix_setuid(). Prototype was for security_current_getsecid_subj() instead
   security/security.c:3019: warning: Incorrect use of kernel-doc format:  * security_task_setioprio() - Check if setting a task's ioprio is allowed
   security/security.c:3029: warning: Incorrect use of kernel-doc format:  * security_task_getioprio() - Check if getting a task's ioprio is allowed
   security/security.c:3038: warning: Incorrect use of kernel-doc format:  * security_task_prlimit() - Check if get/setting resources limits is allowed
   security/security.c:3050: warning: Incorrect use of kernel-doc format:  * security_task_setrlimit() - Check if setting a new rlimit value is allowed
   security/security.c:3063: warning: Incorrect use of kernel-doc format:  * security_task_setscheduler() - Check if setting sched policy/param is allowed
   security/security.c:3073: warning: Incorrect use of kernel-doc format:  * security_task_getscheduler() - Check if getting scheduling info is allowed
   security/security.c:3082: warning: Incorrect use of kernel-doc format:  * security_task_movememory() - Check if moving memory is allowed
   security/security.c:3091: warning: Incorrect use of kernel-doc format:  * security_task_kill() - Check if sending a signal is allowed
   security/security.c:3107: warning: Incorrect use of kernel-doc format:  * security_task_prctl() - Check if a prctl op is allowed
   security/security.c:3122: warning: Function parameter or member 'option' not described in 'security_task_prctl'
   security/security.c:3122: warning: Function parameter or member 'arg2' not described in 'security_task_prctl'
   security/security.c:3122: warning: Function parameter or member 'arg3' not described in 'security_task_prctl'


vim +822 security/security.c

20510f2f4e2dab James Morris      2007-10-16   811  
1427ddbe5cc1a3 Paul Moore        2023-02-16   812  /**
1427ddbe5cc1a3 Paul Moore        2023-02-16   813   * security_binder_set_context_mgr() - Check if becoming binder ctx mgr is ok
1427ddbe5cc1a3 Paul Moore        2023-02-16   814   * @mgr: task credentials of current binder process
1427ddbe5cc1a3 Paul Moore        2023-02-16   815   *
1427ddbe5cc1a3 Paul Moore        2023-02-16   816   * Check whether @mgr is allowed to be the binder context manager.
1427ddbe5cc1a3 Paul Moore        2023-02-16   817   *
1427ddbe5cc1a3 Paul Moore        2023-02-16   818   * Return: Return 0 if permission is granted.
1427ddbe5cc1a3 Paul Moore        2023-02-16   819   */
79af73079d753b Stephen Smalley   2015-01-21   820  
1427ddbe5cc1a3 Paul Moore        2023-02-16   821  /**
1427ddbe5cc1a3 Paul Moore        2023-02-16  @822   * security_binder_transaction() - Check if a binder transaction is allowed
1427ddbe5cc1a3 Paul Moore        2023-02-16   823   * @from: sending process
1427ddbe5cc1a3 Paul Moore        2023-02-16   824   * @to: receiving process
1427ddbe5cc1a3 Paul Moore        2023-02-16   825   *
1427ddbe5cc1a3 Paul Moore        2023-02-16   826   * Check whether @from is allowed to invoke a binder transaction call to @to.
1427ddbe5cc1a3 Paul Moore        2023-02-16   827   *
1427ddbe5cc1a3 Paul Moore        2023-02-16   828   * Return: Returns 0 if permission is granted.
1427ddbe5cc1a3 Paul Moore        2023-02-16   829   */
79af73079d753b Stephen Smalley   2015-01-21   830  
1427ddbe5cc1a3 Paul Moore        2023-02-16   831  /**
1427ddbe5cc1a3 Paul Moore        2023-02-16  @832   * security_binder_transfer_binder() - Check if a binder transfer is allowed
1427ddbe5cc1a3 Paul Moore        2023-02-16   833   * @from: sending process
1427ddbe5cc1a3 Paul Moore        2023-02-16   834   * @to: receiving process
1427ddbe5cc1a3 Paul Moore        2023-02-16   835   *
1427ddbe5cc1a3 Paul Moore        2023-02-16   836   * Check whether @from is allowed to transfer a binder reference to @to.
1427ddbe5cc1a3 Paul Moore        2023-02-16   837   *
1427ddbe5cc1a3 Paul Moore        2023-02-16   838   * Return: Returns 0 if permission is granted.
1427ddbe5cc1a3 Paul Moore        2023-02-16   839   */
79af73079d753b Stephen Smalley   2015-01-21   840  
1427ddbe5cc1a3 Paul Moore        2023-02-16   841  /**
1427ddbe5cc1a3 Paul Moore        2023-02-16  @842   * security_binder_transfer_file() - Check if a binder file xfer is allowed
1427ddbe5cc1a3 Paul Moore        2023-02-16   843   * @from: sending process
1427ddbe5cc1a3 Paul Moore        2023-02-16   844   * @to: receiving process
1427ddbe5cc1a3 Paul Moore        2023-02-16   845   * @file: file being transferred
1427ddbe5cc1a3 Paul Moore        2023-02-16   846   *
1427ddbe5cc1a3 Paul Moore        2023-02-16   847   * Check whether @from is allowed to transfer @file to @to.
1427ddbe5cc1a3 Paul Moore        2023-02-16   848   *
1427ddbe5cc1a3 Paul Moore        2023-02-16   849   * Return: Returns 0 if permission is granted.
1427ddbe5cc1a3 Paul Moore        2023-02-16   850   */
79af73079d753b Stephen Smalley   2015-01-21   851  
e261301c851aee Paul Moore        2023-02-16   852  /**
e261301c851aee Paul Moore        2023-02-16  @853   * security_ptrace_access_check() - Check if tracing is allowed
e261301c851aee Paul Moore        2023-02-16   854   * @child: target process
e261301c851aee Paul Moore        2023-02-16   855   * @mode: PTRACE_MODE flags
e261301c851aee Paul Moore        2023-02-16   856   *
e261301c851aee Paul Moore        2023-02-16   857   * Check permission before allowing the current process to trace the @child
e261301c851aee Paul Moore        2023-02-16   858   * process.  Security modules may also want to perform a process tracing check
e261301c851aee Paul Moore        2023-02-16   859   * during an execve in the set_security or apply_creds hooks of tracing check
e261301c851aee Paul Moore        2023-02-16   860   * during an execve in the bprm_set_creds hook of binprm_security_ops if the
e261301c851aee Paul Moore        2023-02-16   861   * process is being traced and its security attributes would be changed by the
e261301c851aee Paul Moore        2023-02-16   862   * execve.
e261301c851aee Paul Moore        2023-02-16   863   *
e261301c851aee Paul Moore        2023-02-16   864   * Return: Returns 0 if permission is granted.
e261301c851aee Paul Moore        2023-02-16   865   */
5cd9c58fbe9ec9 David Howells     2008-08-14   866  
e261301c851aee Paul Moore        2023-02-16   867  /**
e261301c851aee Paul Moore        2023-02-16  @868   * security_ptrace_traceme() - Check if tracing is allowed
e261301c851aee Paul Moore        2023-02-16   869   * @parent: tracing process
e261301c851aee Paul Moore        2023-02-16   870   *
e261301c851aee Paul Moore        2023-02-16   871   * Check that the @parent process has sufficient permission to trace the
e261301c851aee Paul Moore        2023-02-16   872   * current process before allowing the current process to present itself to the
e261301c851aee Paul Moore        2023-02-16   873   * @parent process for tracing.
e261301c851aee Paul Moore        2023-02-16   874   *
e261301c851aee Paul Moore        2023-02-16   875   * Return: Returns 0 if permission is granted.
e261301c851aee Paul Moore        2023-02-16   876   */
20510f2f4e2dab James Morris      2007-10-16   877  
e261301c851aee Paul Moore        2023-02-16   878  /**
e261301c851aee Paul Moore        2023-02-16  @879   * security_capget() - Get the capability sets for a process
e261301c851aee Paul Moore        2023-02-16   880   * @target: target process
e261301c851aee Paul Moore        2023-02-16   881   * @effective: effective capability set
e261301c851aee Paul Moore        2023-02-16   882   * @inheritable: inheritable capability set
e261301c851aee Paul Moore        2023-02-16   883   * @permitted: permitted capability set
e261301c851aee Paul Moore        2023-02-16   884   *
e261301c851aee Paul Moore        2023-02-16   885   * Get the @effective, @inheritable, and @permitted capability sets for the
e261301c851aee Paul Moore        2023-02-16   886   * @target process.  The hook may also perform permission checking to determine
e261301c851aee Paul Moore        2023-02-16   887   * if the current process is allowed to see the capability sets of the @target
e261301c851aee Paul Moore        2023-02-16   888   * process.
e261301c851aee Paul Moore        2023-02-16   889   *
e261301c851aee Paul Moore        2023-02-16   890   * Return: Returns 0 if the capability sets were successfully obtained.
e261301c851aee Paul Moore        2023-02-16   891   */
20510f2f4e2dab James Morris      2007-10-16   892  
e261301c851aee Paul Moore        2023-02-16   893  /**
e261301c851aee Paul Moore        2023-02-16  @894   * security_capset() - Set the capability sets for a process
e261301c851aee Paul Moore        2023-02-16   895   * @new: new credentials for the target process
e261301c851aee Paul Moore        2023-02-16   896   * @old: current credentials of the target process
e261301c851aee Paul Moore        2023-02-16   897   * @effective: effective capability set
e261301c851aee Paul Moore        2023-02-16   898   * @inheritable: inheritable capability set
e261301c851aee Paul Moore        2023-02-16   899   * @permitted: permitted capability set
e261301c851aee Paul Moore        2023-02-16   900   *
e261301c851aee Paul Moore        2023-02-16   901   * Set the @effective, @inheritable, and @permitted capability sets for the
e261301c851aee Paul Moore        2023-02-16   902   * current process.
e261301c851aee Paul Moore        2023-02-16   903   *
e261301c851aee Paul Moore        2023-02-16   904   * Return: Returns 0 and update @new if permission is granted.
e261301c851aee Paul Moore        2023-02-16   905   */
20510f2f4e2dab James Morris      2007-10-16   906  
e261301c851aee Paul Moore        2023-02-16   907  /**
e261301c851aee Paul Moore        2023-02-16  @908   * security_capable() - Check if a process has the necessary capability
e261301c851aee Paul Moore        2023-02-16   909   * @cred: credentials to examine
e261301c851aee Paul Moore        2023-02-16   910   * @ns: user namespace
e261301c851aee Paul Moore        2023-02-16   911   * @cap: capability requested
e261301c851aee Paul Moore        2023-02-16   912   * @opts: capability check options
e261301c851aee Paul Moore        2023-02-16   913   *
e261301c851aee Paul Moore        2023-02-16   914   * Check whether the @tsk process has the @cap capability in the indicated
e261301c851aee Paul Moore        2023-02-16   915   * credentials.  @cap contains the capability <include/linux/capability.h>.
e261301c851aee Paul Moore        2023-02-16   916   * @opts contains options for the capable check <include/linux/security.h>.
e261301c851aee Paul Moore        2023-02-16   917   *
e261301c851aee Paul Moore        2023-02-16   918   * Return: Returns 0 if the capability is granted.
e261301c851aee Paul Moore        2023-02-16   919   */
20510f2f4e2dab James Morris      2007-10-16   920  
e261301c851aee Paul Moore        2023-02-16   921  /**
e261301c851aee Paul Moore        2023-02-16  @922   * security_quotactl() - Check if a quotactl() syscall is allowed for this fs
e261301c851aee Paul Moore        2023-02-16   923   * @cmds: commands
e261301c851aee Paul Moore        2023-02-16   924   * @type: type
e261301c851aee Paul Moore        2023-02-16   925   * @id: id
e261301c851aee Paul Moore        2023-02-16   926   * @sb: filesystem
e261301c851aee Paul Moore        2023-02-16   927   *
e261301c851aee Paul Moore        2023-02-16   928   * Check whether the quotactl syscall is allowed for this @sb.
e261301c851aee Paul Moore        2023-02-16   929   *
e261301c851aee Paul Moore        2023-02-16   930   * Return: Returns 0 if permission is granted.
e261301c851aee Paul Moore        2023-02-16   931   */
20510f2f4e2dab James Morris      2007-10-16   932  
e261301c851aee Paul Moore        2023-02-16   933  /**
e261301c851aee Paul Moore        2023-02-16  @934   * security_quota_on() - Check if QUOTAON is allowed for a dentry
e261301c851aee Paul Moore        2023-02-16   935   * @dentry: dentry
e261301c851aee Paul Moore        2023-02-16   936   *
e261301c851aee Paul Moore        2023-02-16   937   * Check whether QUOTAON is allowed for @dentry.
e261301c851aee Paul Moore        2023-02-16   938   *
e261301c851aee Paul Moore        2023-02-16   939   * Return: Returns 0 if permission is granted.
e261301c851aee Paul Moore        2023-02-16   940   */
20510f2f4e2dab James Morris      2007-10-16   941  
e261301c851aee Paul Moore        2023-02-16   942  /**
e261301c851aee Paul Moore        2023-02-16  @943   * security_syslog() - Check if accessing the kernel message ring is allowed
e261301c851aee Paul Moore        2023-02-16   944   * @type: SYSLOG_ACTION_* type
e261301c851aee Paul Moore        2023-02-16   945   *
e261301c851aee Paul Moore        2023-02-16   946   * Check permission before accessing the kernel message ring or changing
e261301c851aee Paul Moore        2023-02-16   947   * logging to the console.  See the syslog(2) manual page for an explanation of
e261301c851aee Paul Moore        2023-02-16   948   * the @type values.
e261301c851aee Paul Moore        2023-02-16   949   *
e261301c851aee Paul Moore        2023-02-16   950   * Return: Return 0 if permission is granted.
e261301c851aee Paul Moore        2023-02-16   951   */
20510f2f4e2dab James Morris      2007-10-16   952  
e261301c851aee Paul Moore        2023-02-16   953  /**
e261301c851aee Paul Moore        2023-02-16  @954   * security_settime64() - Check if changing the system time is allowed
e261301c851aee Paul Moore        2023-02-16   955   * @ts: new time
e261301c851aee Paul Moore        2023-02-16   956   * @tz: timezone
e261301c851aee Paul Moore        2023-02-16   957   *
e261301c851aee Paul Moore        2023-02-16   958   * Check permission to change the system time, struct timespec64 is defined in
e261301c851aee Paul Moore        2023-02-16   959   * <include/linux/time64.h> and timezone is defined in <include/linux/time.h>.
e261301c851aee Paul Moore        2023-02-16   960   *
e261301c851aee Paul Moore        2023-02-16   961   * Return: Returns 0 if permission is granted.
e261301c851aee Paul Moore        2023-02-16   962   */
457db29bfcfd1d Baolin Wang       2016-04-08   963  int security_settime64(const struct timespec64 *ts, const struct timezone *tz)
20510f2f4e2dab James Morris      2007-10-16  @964  {
f25fce3e8f1f15 Casey Schaufler   2015-05-02   965  	return call_int_hook(settime, 0, ts, tz);
20510f2f4e2dab James Morris      2007-10-16   966  }
20510f2f4e2dab James Morris      2007-10-16   967  
e261301c851aee Paul Moore        2023-02-16   968  /**
e261301c851aee Paul Moore        2023-02-16   969   * security_vm_enough_memory_mm() - Check if allocating a new mem map is allowed
e261301c851aee Paul Moore        2023-02-16   970   * @mm: mm struct
e261301c851aee Paul Moore        2023-02-16   971   * @pages: number of pages
e261301c851aee Paul Moore        2023-02-16   972   *
e261301c851aee Paul Moore        2023-02-16   973   * Check permissions for allocating a new virtual mapping.  If all LSMs return
e261301c851aee Paul Moore        2023-02-16   974   * a positive value, __vm_enough_memory() will be called with cap_sys_admin
e261301c851aee Paul Moore        2023-02-16   975   * set. If at least one LSM returns 0 or negative, __vm_enough_memory() will be
e261301c851aee Paul Moore        2023-02-16   976   * called with cap_sys_admin cleared.
e261301c851aee Paul Moore        2023-02-16   977   *
e261301c851aee Paul Moore        2023-02-16   978   * Return: Returns 0 if permission is granted by the LSM infrastructure to the
e261301c851aee Paul Moore        2023-02-16   979   *         caller.
e261301c851aee Paul Moore        2023-02-16   980   */
20510f2f4e2dab James Morris      2007-10-16   981  int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
20510f2f4e2dab James Morris      2007-10-16   982  {
b1d9e6b0646d0e Casey Schaufler   2015-05-02   983  	struct security_hook_list *hp;
b1d9e6b0646d0e Casey Schaufler   2015-05-02   984  	int cap_sys_admin = 1;
b1d9e6b0646d0e Casey Schaufler   2015-05-02   985  	int rc;
b1d9e6b0646d0e Casey Schaufler   2015-05-02   986  
b1d9e6b0646d0e Casey Schaufler   2015-05-02   987  	/*
b1d9e6b0646d0e Casey Schaufler   2015-05-02   988  	 * The module will respond with a positive value if
b1d9e6b0646d0e Casey Schaufler   2015-05-02   989  	 * it thinks the __vm_enough_memory() call should be
b1d9e6b0646d0e Casey Schaufler   2015-05-02   990  	 * made with the cap_sys_admin set. If all of the modules
b1d9e6b0646d0e Casey Schaufler   2015-05-02   991  	 * agree that it should be set it will. If any module
b1d9e6b0646d0e Casey Schaufler   2015-05-02   992  	 * thinks it should not be set it won't.
b1d9e6b0646d0e Casey Schaufler   2015-05-02   993  	 */
df0ce17331e250 Sargun Dhillon    2018-03-29   994  	hlist_for_each_entry(hp, &security_hook_heads.vm_enough_memory, list) {
b1d9e6b0646d0e Casey Schaufler   2015-05-02   995  		rc = hp->hook.vm_enough_memory(mm, pages);
b1d9e6b0646d0e Casey Schaufler   2015-05-02   996  		if (rc <= 0) {
b1d9e6b0646d0e Casey Schaufler   2015-05-02   997  			cap_sys_admin = 0;
b1d9e6b0646d0e Casey Schaufler   2015-05-02   998  			break;
b1d9e6b0646d0e Casey Schaufler   2015-05-02   999  		}
b1d9e6b0646d0e Casey Schaufler   2015-05-02  1000  	}
b1d9e6b0646d0e Casey Schaufler   2015-05-02  1001  	return __vm_enough_memory(mm, pages, cap_sys_admin);
20510f2f4e2dab James Morris      2007-10-16  1002  }
20510f2f4e2dab James Morris      2007-10-16  1003  
1661372c912d19 Paul Moore        2023-02-07  1004  /**
1661372c912d19 Paul Moore        2023-02-07  1005   * security_bprm_creds_for_exec() - Prepare the credentials for exec()
1661372c912d19 Paul Moore        2023-02-07  1006   * @bprm: binary program information
1661372c912d19 Paul Moore        2023-02-07  1007   *
1661372c912d19 Paul Moore        2023-02-07  1008   * If the setup in prepare_exec_creds did not setup @bprm->cred->security
1661372c912d19 Paul Moore        2023-02-07  1009   * properly for executing @bprm->file, update the LSM's portion of
1661372c912d19 Paul Moore        2023-02-07  1010   * @bprm->cred->security to be what commit_creds needs to install for the new
1661372c912d19 Paul Moore        2023-02-07  1011   * program.  This hook may also optionally check permissions (e.g. for
1661372c912d19 Paul Moore        2023-02-07  1012   * transitions between security domains).  The hook must set @bprm->secureexec
1661372c912d19 Paul Moore        2023-02-07  1013   * to 1 if AT_SECURE should be set to request libc enable secure mode.  @bprm
1661372c912d19 Paul Moore        2023-02-07  1014   * contains the linux_binprm structure.
1661372c912d19 Paul Moore        2023-02-07  1015   *
1661372c912d19 Paul Moore        2023-02-07  1016   * Return: Returns 0 if the hook is successful and permission is granted.
1661372c912d19 Paul Moore        2023-02-07  1017   */
b8bff599261c93 Eric W. Biederman 2020-03-22  1018  
1661372c912d19 Paul Moore        2023-02-07  1019  /**
1661372c912d19 Paul Moore        2023-02-07 @1020   * security_bprm_creds_from_file() - Update linux_binprm creds based on file
1661372c912d19 Paul Moore        2023-02-07  1021   * @bprm: binary program information
1661372c912d19 Paul Moore        2023-02-07  1022   * @file: associated file
1661372c912d19 Paul Moore        2023-02-07  1023   *
1661372c912d19 Paul Moore        2023-02-07  1024   * If @file is setpcap, suid, sgid or otherwise marked to change privilege upon
1661372c912d19 Paul Moore        2023-02-07  1025   * exec, update @bprm->cred to reflect that change. This is called after
1661372c912d19 Paul Moore        2023-02-07  1026   * finding the binary that will be executed without an interpreter.  This
1661372c912d19 Paul Moore        2023-02-07  1027   * ensures that the credentials will not be derived from a script that the
1661372c912d19 Paul Moore        2023-02-07  1028   * binary will need to reopen, which when reopend may end up being a completely
1661372c912d19 Paul Moore        2023-02-07  1029   * different file.  This hook may also optionally check permissions (e.g. for
1661372c912d19 Paul Moore        2023-02-07  1030   * transitions between security domains).  The hook must set @bprm->secureexec
1661372c912d19 Paul Moore        2023-02-07  1031   * to 1 if AT_SECURE should be set to request libc enable secure mode.  The
1661372c912d19 Paul Moore        2023-02-07  1032   * hook must add to @bprm->per_clear any personality flags that should be
1661372c912d19 Paul Moore        2023-02-07  1033   * cleared from current->personality.  @bprm contains the linux_binprm
1661372c912d19 Paul Moore        2023-02-07  1034   * structure.
1661372c912d19 Paul Moore        2023-02-07  1035   *
1661372c912d19 Paul Moore        2023-02-07  1036   * Return: Returns 0 if the hook is successful and permission is granted.
1661372c912d19 Paul Moore        2023-02-07  1037   */
20510f2f4e2dab James Morris      2007-10-16  1038
kernel test robot Nov. 20, 2023, 10:47 p.m. UTC | #2
Hi Tetsuo,

kernel test robot noticed the following build errors:

[auto build test ERROR on bpf/master]
[also build test ERROR on pcmoore-audit/next pcmoore-selinux/next linus/master v6.7-rc2]
[cannot apply to bpf-next/master next-20231120]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Tetsuo-Handa/LSM-Auto-undef-LSM_HOOK-macro/20231120-214522
base:   https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git master
patch link:    https://lore.kernel.org/r/34be5cd8-1fdd-4323-82a3-40f2e7d35db3%40I-love.SAKURA.ne.jp
patch subject: [PATCH 4/4] LSM: Add a LSM module which handles dynamically appendable LSM hooks.
config: csky-randconfig-002-20231121 (https://download.01.org/0day-ci/archive/20231121/202311210651.Bs3e5XsM-lkp@intel.com/config)
compiler: csky-linux-gcc (GCC) 13.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20231121/202311210651.Bs3e5XsM-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202311210651.Bs3e5XsM-lkp@intel.com/

All errors (new ones prefixed by >>):

   csky-linux-ld: kernel/bpf/syscall.o: in function `__bpf_prog_put_rcu':
>> syscall.c:(.text+0x844): undefined reference to `security_bpf_prog_free'
>> csky-linux-ld: syscall.c:(.text+0x87c): undefined reference to `security_bpf_prog_free'
   csky-linux-ld: kernel/bpf/syscall.o: in function `__bpf_prog_put_noref':
   syscall.c:(.text+0x13a4): undefined reference to `security_bpf_prog_free'
   csky-linux-ld: syscall.c:(.text+0x13fc): undefined reference to `security_bpf_prog_free'
   csky-linux-ld: kernel/bpf/syscall.o: in function `bpf_map_free_deferred':
>> syscall.c:(.text+0x3c0e): undefined reference to `security_bpf_map_free'
   csky-linux-ld: kernel/bpf/syscall.o: in function `map_check_btf':
   syscall.c:(.text+0x3ccc): undefined reference to `security_bpf_map_free'
   csky-linux-ld: kernel/bpf/syscall.o: in function `map_create':
>> syscall.c:(.text+0x448a): undefined reference to `security_bpf_map_alloc'
>> csky-linux-ld: syscall.c:(.text+0x4590): undefined reference to `security_bpf_map_alloc'
>> csky-linux-ld: syscall.c:(.text+0x46d0): undefined reference to `security_bpf_map_free'
   csky-linux-ld: syscall.c:(.text+0x4724): undefined reference to `security_bpf_map_free'
   csky-linux-ld: kernel/bpf/syscall.o: in function `bpf_prog_load':
>> syscall.c:(.text+0x4836): undefined reference to `security_bpf_prog_alloc'
>> csky-linux-ld: syscall.c:(.text+0x48c4): undefined reference to `security_bpf_prog_alloc'
   csky-linux-ld: syscall.c:(.text+0x497e): undefined reference to `security_bpf_prog_free'
   csky-linux-ld: syscall.c:(.text+0x49f0): undefined reference to `security_bpf_prog_free'
   mm/zsmalloc.o: in function `__zs_compact':
   zsmalloc.c:(.text+0x2142): relocation truncated to fit: R_CKCORE_PCREL_IMM16BY4 against `__jump_table'
   zsmalloc.c:(.text+0x214a): relocation truncated to fit: R_CKCORE_PCREL_IMM16BY4 against `__jump_table'
   mm/zsmalloc.o: in function `zs_compact':
   zsmalloc.c:(.text+0x218a): relocation truncated to fit: R_CKCORE_PCREL_IMM16BY4 against `__jump_table'
   zsmalloc.c:(.text+0x21ca): relocation truncated to fit: R_CKCORE_PCREL_IMM16BY4 against `__jump_table'
   zsmalloc.c:(.text+0x21d8): relocation truncated to fit: R_CKCORE_PCREL_IMM16BY4 against `__jump_table'
   mm/zsmalloc.o: in function `zs_shrinker_scan':
   zsmalloc.c:(.text+0x21e4): relocation truncated to fit: R_CKCORE_PCREL_IMM16BY4 against `__jump_table'
   mm/zsmalloc.o: in function `zs_page_migrate':
   zsmalloc.c:(.text+0x2234): relocation truncated to fit: R_CKCORE_PCREL_IMM16BY4 against `__jump_table'
   zsmalloc.c:(.text+0x224c): relocation truncated to fit: R_CKCORE_PCREL_IMM16BY4 against `__jump_table'
   zsmalloc.c:(.text+0x2278): relocation truncated to fit: R_CKCORE_PCREL_IMM16BY4 against `__jump_table'
   zsmalloc.c:(.text+0x22a2): relocation truncated to fit: R_CKCORE_PCREL_IMM16BY4 against `__jump_table'
   zsmalloc.c:(.text+0x22b0): additional relocation overflows omitted from the output
kernel test robot Nov. 20, 2023, 11:36 p.m. UTC | #3
Hi Tetsuo,

kernel test robot noticed the following build errors:

[auto build test ERROR on bpf/master]
[also build test ERROR on pcmoore-audit/next pcmoore-selinux/next linus/master v6.7-rc2]
[cannot apply to bpf-next/master next-20231120]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Tetsuo-Handa/LSM-Auto-undef-LSM_HOOK-macro/20231120-214522
base:   https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git master
patch link:    https://lore.kernel.org/r/34be5cd8-1fdd-4323-82a3-40f2e7d35db3%40I-love.SAKURA.ne.jp
patch subject: [PATCH 4/4] LSM: Add a LSM module which handles dynamically appendable LSM hooks.
config: arc-randconfig-002-20231121 (https://download.01.org/0day-ci/archive/20231121/202311210740.Mxc4WM7v-lkp@intel.com/config)
compiler: arc-elf-gcc (GCC) 13.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20231121/202311210740.Mxc4WM7v-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202311210740.Mxc4WM7v-lkp@intel.com/

All error/warnings (new ones prefixed by >>):

>> security/security.c:784:13: warning: no previous prototype for 'security_bprm_check_security' [-Wmissing-prototypes]
     784 |         int security_##NAME(__VA_ARGS__)                                \
         |             ^~~~~~~~~
   include/linux/lsm_hook_defs.h:114:1: note: in expansion of macro 'LSM_PLAIN_INT_HOOK'
     114 | LSM_PLAIN_INT_HOOK(int, 0, bprm_check_security, struct linux_binprm *bprm)
         | ^~~~~~~~~~~~~~~~~~
>> security/security.c:784:13: warning: no previous prototype for 'security_sb_alloc_security' [-Wmissing-prototypes]
     784 |         int security_##NAME(__VA_ARGS__)                                \
         |             ^~~~~~~~~
   include/linux/lsm_hook_defs.h:123:1: note: in expansion of macro 'LSM_PLAIN_INT_HOOK'
     123 | LSM_PLAIN_INT_HOOK(int, 0, sb_alloc_security, struct super_block *sb)
         | ^~~~~~~~~~~~~~~~~~
>> security/security.c:799:14: warning: no previous prototype for 'security_sb_free_security' [-Wmissing-prototypes]
     799 |         void security_##NAME(__VA_ARGS__)                               \
         |              ^~~~~~~~~
   include/linux/lsm_hook_defs.h:125:1: note: in expansion of macro 'LSM_PLAIN_VOID_HOOK'
     125 | LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, sb_free_security, struct super_block *sb)
         | ^~~~~~~~~~~~~~~~~~~
>> security/security.c:799:14: warning: no previous prototype for 'security_sb_free_mnt_opts' [-Wmissing-prototypes]
     799 |         void security_##NAME(__VA_ARGS__)                               \
         |              ^~~~~~~~~
   include/linux/lsm_hook_defs.h:126:1: note: in expansion of macro 'LSM_PLAIN_VOID_HOOK'
     126 | LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, sb_free_mnt_opts, void *mnt_opts)
         | ^~~~~~~~~~~~~~~~~~~
>> security/security.c:784:13: warning: no previous prototype for 'security_inode_alloc_security' [-Wmissing-prototypes]
     784 |         int security_##NAME(__VA_ARGS__)                                \
         |             ^~~~~~~~~
   include/linux/lsm_hook_defs.h:174:1: note: in expansion of macro 'LSM_PLAIN_INT_HOOK'
     174 | LSM_PLAIN_INT_HOOK(int, 0, inode_alloc_security, struct inode *inode)
         | ^~~~~~~~~~~~~~~~~~
>> security/security.c:799:14: warning: no previous prototype for 'security_inode_free_security' [-Wmissing-prototypes]
     799 |         void security_##NAME(__VA_ARGS__)                               \
         |              ^~~~~~~~~
   include/linux/lsm_hook_defs.h:175:1: note: in expansion of macro 'LSM_PLAIN_VOID_HOOK'
     175 | LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, inode_free_security, struct inode *inode)
         | ^~~~~~~~~~~~~~~~~~~
>> security/security.c:784:13: warning: no previous prototype for 'security_file_alloc_security' [-Wmissing-prototypes]
     784 |         int security_##NAME(__VA_ARGS__)                                \
         |             ^~~~~~~~~
   include/linux/lsm_hook_defs.h:231:1: note: in expansion of macro 'LSM_PLAIN_INT_HOOK'
     231 | LSM_PLAIN_INT_HOOK(int, 0, file_alloc_security, struct file *file)
         | ^~~~~~~~~~~~~~~~~~
>> security/security.c:799:14: warning: no previous prototype for 'security_file_free_security' [-Wmissing-prototypes]
     799 |         void security_##NAME(__VA_ARGS__)                               \
         |              ^~~~~~~~~
   include/linux/lsm_hook_defs.h:232:1: note: in expansion of macro 'LSM_PLAIN_VOID_HOOK'
     232 | LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, file_free_security, struct file *file)
         | ^~~~~~~~~~~~~~~~~~~
>> security/security.c:784:13: warning: no previous prototype for 'security_cred_prepare' [-Wmissing-prototypes]
     784 |         int security_##NAME(__VA_ARGS__)                                \
         |             ^~~~~~~~~
   include/linux/lsm_hook_defs.h:254:1: note: in expansion of macro 'LSM_PLAIN_INT_HOOK'
     254 | LSM_PLAIN_INT_HOOK(int, 0, cred_prepare, struct cred *new, const struct cred *old,
         | ^~~~~~~~~~~~~~~~~~
>> security/security.c:784:13: warning: no previous prototype for 'security_msg_msg_alloc_security' [-Wmissing-prototypes]
     784 |         int security_##NAME(__VA_ARGS__)                                \
         |             ^~~~~~~~~
   include/linux/lsm_hook_defs.h:300:1: note: in expansion of macro 'LSM_PLAIN_INT_HOOK'
     300 | LSM_PLAIN_INT_HOOK(int, 0, msg_msg_alloc_security, struct msg_msg *msg)
         | ^~~~~~~~~~~~~~~~~~
>> security/security.c:799:14: warning: no previous prototype for 'security_msg_msg_free_security' [-Wmissing-prototypes]
     799 |         void security_##NAME(__VA_ARGS__)                               \
         |              ^~~~~~~~~
   include/linux/lsm_hook_defs.h:301:1: note: in expansion of macro 'LSM_PLAIN_VOID_HOOK'
     301 | LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, msg_msg_free_security, struct msg_msg *msg)
         | ^~~~~~~~~~~~~~~~~~~
>> security/security.c:784:13: warning: no previous prototype for 'security_msg_queue_alloc_security' [-Wmissing-prototypes]
     784 |         int security_##NAME(__VA_ARGS__)                                \
         |             ^~~~~~~~~
   include/linux/lsm_hook_defs.h:302:1: note: in expansion of macro 'LSM_PLAIN_INT_HOOK'
     302 | LSM_PLAIN_INT_HOOK(int, 0, msg_queue_alloc_security, struct kern_ipc_perm *perm)
         | ^~~~~~~~~~~~~~~~~~
>> security/security.c:799:14: warning: no previous prototype for 'security_msg_queue_free_security' [-Wmissing-prototypes]
     799 |         void security_##NAME(__VA_ARGS__)                               \
         |              ^~~~~~~~~
   include/linux/lsm_hook_defs.h:303:1: note: in expansion of macro 'LSM_PLAIN_VOID_HOOK'
     303 | LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, msg_queue_free_security,
         | ^~~~~~~~~~~~~~~~~~~
>> security/security.c:784:13: warning: no previous prototype for 'security_shm_alloc_security' [-Wmissing-prototypes]
     784 |         int security_##NAME(__VA_ARGS__)                                \
         |             ^~~~~~~~~
   include/linux/lsm_hook_defs.h:311:1: note: in expansion of macro 'LSM_PLAIN_INT_HOOK'
     311 | LSM_PLAIN_INT_HOOK(int, 0, shm_alloc_security, struct kern_ipc_perm *perm)
         | ^~~~~~~~~~~~~~~~~~
>> security/security.c:799:14: warning: no previous prototype for 'security_shm_free_security' [-Wmissing-prototypes]
     799 |         void security_##NAME(__VA_ARGS__)                               \
         |              ^~~~~~~~~
   include/linux/lsm_hook_defs.h:312:1: note: in expansion of macro 'LSM_PLAIN_VOID_HOOK'
     312 | LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, shm_free_security, struct kern_ipc_perm *perm)
         | ^~~~~~~~~~~~~~~~~~~
>> security/security.c:784:13: warning: no previous prototype for 'security_sem_alloc_security' [-Wmissing-prototypes]
     784 |         int security_##NAME(__VA_ARGS__)                                \
         |             ^~~~~~~~~
   include/linux/lsm_hook_defs.h:317:1: note: in expansion of macro 'LSM_PLAIN_INT_HOOK'
     317 | LSM_PLAIN_INT_HOOK(int, 0, sem_alloc_security, struct kern_ipc_perm *perm)
         | ^~~~~~~~~~~~~~~~~~
>> security/security.c:799:14: warning: no previous prototype for 'security_sem_free_security' [-Wmissing-prototypes]
     799 |         void security_##NAME(__VA_ARGS__)                               \
         |              ^~~~~~~~~
   include/linux/lsm_hook_defs.h:318:1: note: in expansion of macro 'LSM_PLAIN_VOID_HOOK'
     318 | LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, sem_free_security, struct kern_ipc_perm *perm)
         | ^~~~~~~~~~~~~~~~~~~
>> security/security.c:799:14: warning: no previous prototype for 'security_sk_getsecid' [-Wmissing-prototypes]
     799 |         void security_##NAME(__VA_ARGS__)                               \
         |              ^~~~~~~~~
   include/linux/lsm_hook_defs.h:381:1: note: in expansion of macro 'LSM_PLAIN_VOID_HOOK'
     381 | LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, sk_getsecid, const struct sock *sk, u32 *secid)
         | ^~~~~~~~~~~~~~~~~~~
>> security/security.c:784:13: warning: no previous prototype for 'security_xfrm_policy_alloc_security' [-Wmissing-prototypes]
     784 |         int security_##NAME(__VA_ARGS__)                                \
         |             ^~~~~~~~~
   include/linux/lsm_hook_defs.h:420:1: note: in expansion of macro 'LSM_PLAIN_INT_HOOK'
     420 | LSM_PLAIN_INT_HOOK(int, 0, xfrm_policy_alloc_security, struct xfrm_sec_ctx **ctxp,
         | ^~~~~~~~~~~~~~~~~~
>> security/security.c:784:13: warning: no previous prototype for 'security_xfrm_policy_clone_security' [-Wmissing-prototypes]
     784 |         int security_##NAME(__VA_ARGS__)                                \
         |             ^~~~~~~~~
   include/linux/lsm_hook_defs.h:422:1: note: in expansion of macro 'LSM_PLAIN_INT_HOOK'
     422 | LSM_PLAIN_INT_HOOK(int, 0, xfrm_policy_clone_security, struct xfrm_sec_ctx *old_ctx,
         | ^~~~~~~~~~~~~~~~~~
   security/security.c:799:14: warning: no previous prototype for 'security_xfrm_policy_free_security' [-Wmissing-prototypes]
     799 |         void security_##NAME(__VA_ARGS__)                               \
         |              ^~~~~~~~~
   include/linux/lsm_hook_defs.h:424:1: note: in expansion of macro 'LSM_PLAIN_VOID_HOOK'
     424 | LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, xfrm_policy_free_security,
         | ^~~~~~~~~~~~~~~~~~~
   security/security.c:784:13: warning: no previous prototype for 'security_xfrm_policy_delete_security' [-Wmissing-prototypes]
     784 |         int security_##NAME(__VA_ARGS__)                                \
         |             ^~~~~~~~~
   include/linux/lsm_hook_defs.h:426:1: note: in expansion of macro 'LSM_PLAIN_INT_HOOK'
     426 | LSM_PLAIN_INT_HOOK(int, 0, xfrm_policy_delete_security, struct xfrm_sec_ctx *ctx)
         | ^~~~~~~~~~~~~~~~~~
   security/security.c:799:14: warning: no previous prototype for 'security_xfrm_state_free_security' [-Wmissing-prototypes]
     799 |         void security_##NAME(__VA_ARGS__)                               \
         |              ^~~~~~~~~
   include/linux/lsm_hook_defs.h:431:1: note: in expansion of macro 'LSM_PLAIN_VOID_HOOK'
     431 | LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, xfrm_state_free_security, struct xfrm_state *x)
         | ^~~~~~~~~~~~~~~~~~~
   security/security.c:784:13: warning: no previous prototype for 'security_xfrm_state_delete_security' [-Wmissing-prototypes]
     784 |         int security_##NAME(__VA_ARGS__)                                \
         |             ^~~~~~~~~
   include/linux/lsm_hook_defs.h:432:1: note: in expansion of macro 'LSM_PLAIN_INT_HOOK'
     432 | LSM_PLAIN_INT_HOOK(int, 0, xfrm_state_delete_security, struct xfrm_state *x)
         | ^~~~~~~~~~~~~~~~~~
   security/security.c:784:13: error: conflicting types for 'security_xfrm_decode_session'; have 'int(struct sk_buff *, u32 *, int)' {aka 'int(struct sk_buff *, unsigned int *, int)'}
     784 |         int security_##NAME(__VA_ARGS__)                                \
         |             ^~~~~~~~~
   include/linux/lsm_hook_defs.h:436:1: note: in expansion of macro 'LSM_PLAIN_INT_HOOK'
     436 | LSM_PLAIN_INT_HOOK(int, 0, xfrm_decode_session, struct sk_buff *skb, u32 *secid,
         | ^~~~~~~~~~~~~~~~~~
   In file included from include/linux/lsm_hooks.h:28,
                    from security/security.c:21:
   include/linux/security.h:1753:5: note: previous declaration of 'security_xfrm_decode_session' with type 'int(struct sk_buff *, u32 *)' {aka 'int(struct sk_buff *, unsigned int *)'}
    1753 | int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid);
         |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
   security/security.c:784:13: warning: no previous prototype for 'security_bpf_map_alloc_security' [-Wmissing-prototypes]
     784 |         int security_##NAME(__VA_ARGS__)                                \
         |             ^~~~~~~~~
   include/linux/lsm_hook_defs.h:462:1: note: in expansion of macro 'LSM_PLAIN_INT_HOOK'
     462 | LSM_PLAIN_INT_HOOK(int, 0, bpf_map_alloc_security, struct bpf_map *map)
         | ^~~~~~~~~~~~~~~~~~
   security/security.c:799:14: warning: no previous prototype for 'security_bpf_map_free_security' [-Wmissing-prototypes]
     799 |         void security_##NAME(__VA_ARGS__)                               \
         |              ^~~~~~~~~
   include/linux/lsm_hook_defs.h:463:1: note: in expansion of macro 'LSM_PLAIN_VOID_HOOK'
     463 | LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, bpf_map_free_security, struct bpf_map *map)
         | ^~~~~~~~~~~~~~~~~~~
   security/security.c:784:13: warning: no previous prototype for 'security_bpf_prog_alloc_security' [-Wmissing-prototypes]
     784 |         int security_##NAME(__VA_ARGS__)                                \
         |             ^~~~~~~~~
   include/linux/lsm_hook_defs.h:464:1: note: in expansion of macro 'LSM_PLAIN_INT_HOOK'
     464 | LSM_PLAIN_INT_HOOK(int, 0, bpf_prog_alloc_security, struct bpf_prog_aux *aux)
         | ^~~~~~~~~~~~~~~~~~
   security/security.c:799:14: warning: no previous prototype for 'security_bpf_prog_free_security' [-Wmissing-prototypes]
     799 |         void security_##NAME(__VA_ARGS__)                               \
         |              ^~~~~~~~~
   include/linux/lsm_hook_defs.h:465:1: note: in expansion of macro 'LSM_PLAIN_VOID_HOOK'
     465 | LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, bpf_prog_free_security, struct bpf_prog_aux *aux)
         | ^~~~~~~~~~~~~~~~~~~


vim +784 security/security.c

   781	
   782	#include <linux/lsm_hook_args.h>
   783	#define LSM_PLAIN_INT_HOOK(RET, DEFAULT, NAME, ...)			\
 > 784		int security_##NAME(__VA_ARGS__)				\
   785		{								\
   786			struct security_hook_list *P;				\
   787										\
   788			hlist_for_each_entry(P, &security_hook_heads.NAME, list) { \
   789				int RC = P->hook.NAME(LSM_CALL_ARGS_##NAME);	\
   790										\
   791				if (RC != DEFAULT)				\
   792					return RC;				\
   793			}							\
   794			return DEFAULT;						\
   795		}
   796	#define LSM_CUSTOM_INT_HOOK(RET, DEFAULT, NAME, ...) DECLARE_LSM_RET_DEFAULT_int(DEFAULT, NAME)
   797	#define LSM_SPECIAL_INT_HOOK(RET, DEFAULT, NAME, ...) DECLARE_LSM_RET_DEFAULT_int(DEFAULT, NAME)
   798	#define LSM_PLAIN_VOID_HOOK(RET, DEFAULT, NAME, ...)			\
 > 799		void security_##NAME(__VA_ARGS__)				\
   800		{								\
   801			struct security_hook_list *P;				\
   802										\
   803			hlist_for_each_entry(P, &security_hook_heads.NAME, list) \
   804				P->hook.NAME(LSM_CALL_ARGS_##NAME);		\
   805		}
   806	#define LSM_CUSTOM_VOID_HOOK(RET, DEFAULT, NAME, ...)
   807	#define LSM_SPECIAL_VOID_HOOK(RET, DEFAULT, NAME, ...)
   808	#include <linux/lsm_hook_defs.h>
   809
diff mbox series

Patch

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 4ba1aedc7901..2166ff6541aa 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -137,4 +137,13 @@  extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[];
 
 extern int lsm_inode_alloc(struct inode *inode);
 
+/* Definition of all modular callbacks. */
+struct security_hook_mappings {
+#define LSM_HOOK(RET, DEFAULT, NAME, ...)	\
+	RET (*NAME)(__VA_ARGS__);
+#include <linux/lsm_hook_defs.h>
+} /* __randomize_layout is useless here, for this is a "const __initdata" struct. */;
+
+extern int mod_lsm_add_hooks(const struct security_hook_mappings *maps);
+
 #endif /* ! __LINUX_LSM_HOOKS_H */
diff --git a/security/Makefile b/security/Makefile
index 18121f8f85cd..a611350e9da4 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -10,7 +10,7 @@  obj-y					+= commoncap.o
 obj-$(CONFIG_MMU)			+= min_addr.o
 
 # Object file lists
-obj-$(CONFIG_SECURITY)			+= security.o
+obj-$(CONFIG_SECURITY)			+= security.o mod_lsm.o
 obj-$(CONFIG_SECURITYFS)		+= inode.o
 obj-$(CONFIG_SECURITY_SELINUX)		+= selinux/
 obj-$(CONFIG_SECURITY_SMACK)		+= smack/
diff --git a/security/mod_lsm.c b/security/mod_lsm.c
new file mode 100644
index 000000000000..074a73326fc7
--- /dev/null
+++ b/security/mod_lsm.c
@@ -0,0 +1,321 @@ 
+// SPDX-License-Identifier: GPL-2.0-or-later
+#include <linux/lsm_hooks.h>
+
+extern int mod_lsm_add_hooks(const struct security_hook_mappings *maps);
+
+/* List of registered modular callbacks. */
+static struct {
+#define LSM_HOOK(RET, DEFAULT, NAME, ...) struct hlist_head NAME;
+#include <linux/lsm_hook_defs.h>
+} mod_lsm_dynamic_hooks;
+
+#define LSM_RET_DEFAULT(NAME) (NAME##_default)
+#define DECLARE_LSM_RET_DEFAULT_void(DEFAULT, NAME)
+#define DECLARE_LSM_RET_DEFAULT_int(DEFAULT, NAME) \
+	static const int __maybe_unused LSM_RET_DEFAULT(NAME) = (DEFAULT);
+
+#define call_void_hook(FUNC, ...)				\
+	do {							\
+		struct security_hook_list *P;			\
+								\
+		hlist_for_each_entry(P, &mod_lsm_dynamic_hooks.FUNC, list) \
+			P->hook.FUNC(__VA_ARGS__);		\
+	} while (0)
+
+#define call_int_hook(FUNC, IRC, ...) ({			\
+	int RC = IRC;						\
+	do {							\
+		struct security_hook_list *P;			\
+								\
+		hlist_for_each_entry(P, &mod_lsm_dynamic_hooks.FUNC, list) { \
+			RC = P->hook.FUNC(__VA_ARGS__);		\
+			if (RC != 0)				\
+				break;				\
+		}						\
+	} while (0);						\
+	RC;							\
+})
+
+#include <linux/lsm_hook_args.h>
+#define LSM_PLAIN_INT_HOOK(RET, DEFAULT, NAME, ...)			\
+	static int mod_lsm_##NAME(__VA_ARGS__)				\
+	{								\
+		struct security_hook_list *P;				\
+									\
+		hlist_for_each_entry(P, &mod_lsm_dynamic_hooks.NAME, list) { \
+			int RC = P->hook.NAME(LSM_CALL_ARGS_##NAME);	\
+									\
+			if (RC != DEFAULT)				\
+				return RC;				\
+		}							\
+		return DEFAULT;						\
+	}
+#define LSM_CUSTOM_INT_HOOK LSM_PLAIN_INT_HOOK
+#define LSM_SPECIAL_INT_HOOK(RET, DEFAULT, NAME, ...) DECLARE_LSM_RET_DEFAULT_int(DEFAULT, NAME)
+#define LSM_PLAIN_VOID_HOOK(RET, DEFAULT, NAME, ...)			\
+	static void mod_lsm_##NAME(__VA_ARGS__)				\
+	{								\
+		struct security_hook_list *P;				\
+									\
+		hlist_for_each_entry(P, &mod_lsm_dynamic_hooks.NAME, list) \
+			P->hook.NAME(LSM_CALL_ARGS_##NAME);		\
+	}
+#define LSM_CUSTOM_VOID_HOOK(RET, DEFAULT, NAME, ...)
+#define LSM_SPECIAL_VOID_HOOK(RET, DEFAULT, NAME, ...) DECLARE_LSM_RET_DEFAULT_void(DEFAULT, NAME)
+#include <linux/lsm_hook_defs.h>
+
+static int mod_lsm_settime(const struct timespec64 *ts, const struct timezone *tz)
+{
+	return call_int_hook(settime, 0, ts, tz);
+}
+
+static int mod_lsm_vm_enough_memory(struct mm_struct *mm, long pages)
+{
+	struct security_hook_list *hp;
+	int cap_sys_admin = 1;
+	int rc;
+
+	hlist_for_each_entry(hp, &mod_lsm_dynamic_hooks.vm_enough_memory, list) {
+		rc = hp->hook.vm_enough_memory(mm, pages);
+		if (rc <= 0) {
+			cap_sys_admin = 0;
+			break;
+		}
+	}
+	return cap_sys_admin;
+}
+
+static int mod_lsm_fs_context_parse_param(struct fs_context *fc, struct fs_parameter *param)
+{
+	struct security_hook_list *hp;
+	int trc;
+	int rc = -ENOPARAM;
+
+	hlist_for_each_entry(hp, &mod_lsm_dynamic_hooks.fs_context_parse_param, list) {
+		trc = hp->hook.fs_context_parse_param(fc, param);
+		if (trc == 0)
+			rc = 0;
+		else if (trc != -ENOPARAM)
+			return trc;
+	}
+	return rc;
+}
+
+static int mod_lsm_inode_init_security(struct inode *inode, struct inode *dir,
+				       const struct qstr *qstr, struct xattr *xattrs,
+				       int *xattr_count)
+{
+	struct security_hook_list *hp;
+	int ret = -EOPNOTSUPP;
+
+	hlist_for_each_entry(hp, &mod_lsm_dynamic_hooks.inode_init_security, list) {
+		ret = hp->hook.inode_init_security(inode, dir, qstr, xattrs, xattr_count);
+		if (ret && ret != -EOPNOTSUPP)
+			return ret;
+	}
+	return ret;
+}
+
+static void mod_lsm_inode_post_setxattr(struct dentry *dentry, const char *name, const void *value,
+					size_t size, int flags)
+{
+	call_void_hook(inode_post_setxattr, dentry, name, value, size, flags);
+}
+
+static void mod_lsm_task_free(struct task_struct *task)
+{
+	call_void_hook(task_free, task);
+}
+
+static void mod_lsm_cred_free(struct cred *cred)
+{
+	call_void_hook(cred_free, cred);
+}
+
+static void mod_lsm_cred_transfer(struct cred *new, const struct cred *old)
+{
+	call_void_hook(cred_transfer, new, old);
+}
+
+static void mod_lsm_cred_getsecid(const struct cred *c, u32 *secid)
+{
+	call_void_hook(cred_getsecid, c, secid);
+}
+
+static void mod_lsm_current_getsecid_subj(u32 *secid)
+{
+	call_void_hook(current_getsecid_subj, secid);
+}
+
+static void mod_lsm_task_getsecid_obj(struct task_struct *p, u32 *secid)
+{
+	call_void_hook(task_getsecid_obj, p, secid);
+}
+
+static int mod_lsm_task_prctl(int option, unsigned long arg2, unsigned long arg3,
+			      unsigned long arg4, unsigned long arg5)
+{
+	int thisrc;
+	int rc = LSM_RET_DEFAULT(task_prctl);
+	struct security_hook_list *hp;
+
+	hlist_for_each_entry(hp, &mod_lsm_dynamic_hooks.task_prctl, list) {
+		thisrc = hp->hook.task_prctl(option, arg2, arg3, arg4, arg5);
+		if (thisrc != LSM_RET_DEFAULT(task_prctl)) {
+			rc = thisrc;
+			if (thisrc != 0)
+				break;
+		}
+	}
+	return rc;
+}
+
+static int mod_lsm_userns_create(const struct cred *cred)
+{
+	return call_int_hook(userns_create, 0, cred);
+}
+
+static void mod_lsm_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
+{
+	call_void_hook(ipc_getsecid, ipcp, secid);
+}
+
+
+static void mod_lsm_d_instantiate(struct dentry *dentry, struct inode *inode)
+{
+	call_void_hook(d_instantiate, dentry, inode);
+}
+
+static int mod_lsm_getprocattr(struct task_struct *p, const char *name, char **value)
+{
+	/* Can't work because "lsm" argument is not available. */
+	return LSM_RET_DEFAULT(getprocattr);
+}
+
+static int mod_lsm_setprocattr(const char *name, void *value, size_t size)
+{
+	/* Can't work because "lsm" argument is not available. */
+	return LSM_RET_DEFAULT(setprocattr);
+}
+
+static void mod_lsm_release_secctx(char *secdata, u32 seclen)
+{
+	call_void_hook(release_secctx, secdata, seclen);
+}
+
+static void mod_lsm_inode_invalidate_secctx(struct inode *inode)
+{
+	call_void_hook(inode_invalidate_secctx, inode);
+}
+
+static int mod_lsm_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
+{
+	return call_int_hook(inode_getsecctx, -EOPNOTSUPP, inode, ctx, ctxlen);
+}
+
+#ifdef CONFIG_SECURITY_NETWORK
+static int mod_lsm_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
+{
+	return call_int_hook(socket_sock_rcv_skb, 0, sk, skb);
+}
+
+static int mod_lsm_socket_getpeersec_stream(struct socket *sock, sockptr_t optval,
+					    sockptr_t optlen, unsigned int len)
+{
+	return call_int_hook(socket_getpeersec_stream, -ENOPROTOOPT, sock, optval, optlen, len);
+}
+
+static int mod_lsm_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
+{
+	return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock, skb, secid);
+}
+
+static int mod_lsm_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
+{
+	return call_int_hook(sk_alloc_security, 0, sk, family, priority);
+}
+
+static void mod_lsm_sk_free_security(struct sock *sk)
+{
+	call_void_hook(sk_free_security, sk);
+}
+
+static void mod_lsm_sk_clone_security(const struct sock *sk, struct sock *newsk)
+{
+	call_void_hook(sk_clone_security, sk, newsk);
+}
+#endif
+
+#ifdef CONFIG_SECURITY_NETWORK_XFRM
+static int mod_lsm_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp,
+					     const struct flowi_common *flic)
+{
+	struct security_hook_list *hp;
+	int rc = LSM_RET_DEFAULT(xfrm_state_pol_flow_match);
+
+	hlist_for_each_entry(hp, &mod_lsm_dynamic_hooks.xfrm_state_pol_flow_match, list) {
+		rc = hp->hook.xfrm_state_pol_flow_match(x, xp, flic);
+		break;
+	}
+	return rc;
+}
+#endif
+
+/* Initialize all built-in callbacks here. */
+#define LSM_HOOK(RET, DEFAULT, NAME, ...) LSM_HOOK_INIT(NAME, mod_lsm_##NAME),
+static struct security_hook_list mod_lsm_builtin_hooks[] __ro_after_init = {
+#include <linux/lsm_hook_defs.h>
+};
+
+static int mod_lsm_enabled __ro_after_init = 1;
+static struct lsm_blob_sizes mod_lsm_blob_sizes __ro_after_init = { };
+
+static int __init mod_lsm_init(void)
+{
+	/* Initialize modular callbacks list. */
+#define LSM_HOOK(RET, DEFAULT, NAME, ...) INIT_HLIST_HEAD(&mod_lsm_dynamic_hooks.NAME);
+#include <linux/lsm_hook_defs.h>
+	/* Register built-in callbacks. */
+	security_add_hooks(mod_lsm_builtin_hooks, ARRAY_SIZE(mod_lsm_builtin_hooks), "mod_lsm");
+	return 0;
+}
+
+DEFINE_LSM(mod_lsm) = {
+	.name = "mod_lsm",
+	.enabled = &mod_lsm_enabled,
+	.flags = 0,
+	.blobs = &mod_lsm_blob_sizes,
+	.init = mod_lsm_init,
+};
+
+/* The only exported function for registering modular callbacks. */
+int mod_lsm_add_hooks(const struct security_hook_mappings *maps)
+{
+	struct security_hook_list *entry;
+	int count = 0;
+
+	if (!mod_lsm_enabled) {
+		pr_info_once("Loadable LSM support is not enabled.\n");
+		return -EOPNOTSUPP;
+	}
+
+	/* Count how meny callbacks are implemented. */
+#define LSM_HOOK(RET, DEFAULT, NAME, ...) do { if (maps->NAME) count++; } while (0);
+#include <linux/lsm_hook_defs.h>
+	if (!count)
+		return -EINVAL;
+	/* Allocate memory for registering implemented callbacks. */
+	entry = kmalloc_array(count, sizeof(struct security_hook_list), GFP_KERNEL);
+	if (!entry)
+		return -ENOMEM;
+	/* Registering imdividual callbacks. */
+	count = 0;
+#define LSM_HOOK(RET, DEFAULT, NAME, ...) do { if (maps->NAME) {	\
+			entry[count].hook.NAME = maps->NAME;		\
+			hlist_add_tail_rcu(&entry[count].list, &mod_lsm_dynamic_hooks.NAME); \
+			count++;					\
+		} } while (0);
+#include <linux/lsm_hook_defs.h>
+	return 0;
+}
+EXPORT_SYMBOL_GPL(mod_lsm_add_hooks);
diff --git a/security/security.c b/security/security.c
index d35d50b218c6..b455bfa62afc 100644
--- a/security/security.c
+++ b/security/security.c
@@ -746,9 +746,6 @@  static int lsm_superblock_alloc(struct super_block *sb)
 #define DECLARE_LSM_RET_DEFAULT_void(DEFAULT, NAME)
 #define DECLARE_LSM_RET_DEFAULT_int(DEFAULT, NAME) \
 	static const int __maybe_unused LSM_RET_DEFAULT(NAME) = (DEFAULT);
-#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
-	DECLARE_LSM_RET_DEFAULT_##RET(DEFAULT, NAME)
-#include <linux/lsm_hook_defs.h>
 
 /*
  * Hook list operation macros.
@@ -782,6 +779,34 @@  static int lsm_superblock_alloc(struct super_block *sb)
 	RC;							\
 })
 
+#include <linux/lsm_hook_args.h>
+#define LSM_PLAIN_INT_HOOK(RET, DEFAULT, NAME, ...)			\
+	int security_##NAME(__VA_ARGS__)				\
+	{								\
+		struct security_hook_list *P;				\
+									\
+		hlist_for_each_entry(P, &security_hook_heads.NAME, list) { \
+			int RC = P->hook.NAME(LSM_CALL_ARGS_##NAME);	\
+									\
+			if (RC != DEFAULT)				\
+				return RC;				\
+		}							\
+		return DEFAULT;						\
+	}
+#define LSM_CUSTOM_INT_HOOK(RET, DEFAULT, NAME, ...) DECLARE_LSM_RET_DEFAULT_int(DEFAULT, NAME)
+#define LSM_SPECIAL_INT_HOOK(RET, DEFAULT, NAME, ...) DECLARE_LSM_RET_DEFAULT_int(DEFAULT, NAME)
+#define LSM_PLAIN_VOID_HOOK(RET, DEFAULT, NAME, ...)			\
+	void security_##NAME(__VA_ARGS__)				\
+	{								\
+		struct security_hook_list *P;				\
+									\
+		hlist_for_each_entry(P, &security_hook_heads.NAME, list) \
+			P->hook.NAME(LSM_CALL_ARGS_##NAME);		\
+	}
+#define LSM_CUSTOM_VOID_HOOK(RET, DEFAULT, NAME, ...)
+#define LSM_SPECIAL_VOID_HOOK(RET, DEFAULT, NAME, ...)
+#include <linux/lsm_hook_defs.h>
+
 /* Security operations */
 
 /**
@@ -792,10 +817,6 @@  static int lsm_superblock_alloc(struct super_block *sb)
  *
  * Return: Return 0 if permission is granted.
  */
-int security_binder_set_context_mgr(const struct cred *mgr)
-{
-	return call_int_hook(binder_set_context_mgr, 0, mgr);
-}
 
 /**
  * security_binder_transaction() - Check if a binder transaction is allowed
@@ -806,11 +827,6 @@  int security_binder_set_context_mgr(const struct cred *mgr)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_binder_transaction(const struct cred *from,
-				const struct cred *to)
-{
-	return call_int_hook(binder_transaction, 0, from, to);
-}
 
 /**
  * security_binder_transfer_binder() - Check if a binder transfer is allowed
@@ -821,11 +837,6 @@  int security_binder_transaction(const struct cred *from,
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_binder_transfer_binder(const struct cred *from,
-				    const struct cred *to)
-{
-	return call_int_hook(binder_transfer_binder, 0, from, to);
-}
 
 /**
  * security_binder_transfer_file() - Check if a binder file xfer is allowed
@@ -837,11 +848,6 @@  int security_binder_transfer_binder(const struct cred *from,
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_binder_transfer_file(const struct cred *from,
-				  const struct cred *to, const struct file *file)
-{
-	return call_int_hook(binder_transfer_file, 0, from, to, file);
-}
 
 /**
  * security_ptrace_access_check() - Check if tracing is allowed
@@ -857,10 +863,6 @@  int security_binder_transfer_file(const struct cred *from,
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_ptrace_access_check(struct task_struct *child, unsigned int mode)
-{
-	return call_int_hook(ptrace_access_check, 0, child, mode);
-}
 
 /**
  * security_ptrace_traceme() - Check if tracing is allowed
@@ -872,10 +874,6 @@  int security_ptrace_access_check(struct task_struct *child, unsigned int mode)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_ptrace_traceme(struct task_struct *parent)
-{
-	return call_int_hook(ptrace_traceme, 0, parent);
-}
 
 /**
  * security_capget() - Get the capability sets for a process
@@ -891,14 +889,6 @@  int security_ptrace_traceme(struct task_struct *parent)
  *
  * Return: Returns 0 if the capability sets were successfully obtained.
  */
-int security_capget(const struct task_struct *target,
-		    kernel_cap_t *effective,
-		    kernel_cap_t *inheritable,
-		    kernel_cap_t *permitted)
-{
-	return call_int_hook(capget, 0, target,
-			     effective, inheritable, permitted);
-}
 
 /**
  * security_capset() - Set the capability sets for a process
@@ -913,14 +903,6 @@  int security_capget(const struct task_struct *target,
  *
  * Return: Returns 0 and update @new if permission is granted.
  */
-int security_capset(struct cred *new, const struct cred *old,
-		    const kernel_cap_t *effective,
-		    const kernel_cap_t *inheritable,
-		    const kernel_cap_t *permitted)
-{
-	return call_int_hook(capset, 0, new, old,
-			     effective, inheritable, permitted);
-}
 
 /**
  * security_capable() - Check if a process has the necessary capability
@@ -935,13 +917,6 @@  int security_capset(struct cred *new, const struct cred *old,
  *
  * Return: Returns 0 if the capability is granted.
  */
-int security_capable(const struct cred *cred,
-		     struct user_namespace *ns,
-		     int cap,
-		     unsigned int opts)
-{
-	return call_int_hook(capable, 0, cred, ns, cap, opts);
-}
 
 /**
  * security_quotactl() - Check if a quotactl() syscall is allowed for this fs
@@ -954,10 +929,6 @@  int security_capable(const struct cred *cred,
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_quotactl(int cmds, int type, int id, const struct super_block *sb)
-{
-	return call_int_hook(quotactl, 0, cmds, type, id, sb);
-}
 
 /**
  * security_quota_on() - Check if QUOTAON is allowed for a dentry
@@ -967,10 +938,6 @@  int security_quotactl(int cmds, int type, int id, const struct super_block *sb)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_quota_on(struct dentry *dentry)
-{
-	return call_int_hook(quota_on, 0, dentry);
-}
 
 /**
  * security_syslog() - Check if accessing the kernel message ring is allowed
@@ -982,10 +949,6 @@  int security_quota_on(struct dentry *dentry)
  *
  * Return: Return 0 if permission is granted.
  */
-int security_syslog(int type)
-{
-	return call_int_hook(syslog, 0, type);
-}
 
 /**
  * security_settime64() - Check if changing the system time is allowed
@@ -1052,10 +1015,6 @@  int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
  *
  * Return: Returns 0 if the hook is successful and permission is granted.
  */
-int security_bprm_creds_for_exec(struct linux_binprm *bprm)
-{
-	return call_int_hook(bprm_creds_for_exec, 0, bprm);
-}
 
 /**
  * security_bprm_creds_from_file() - Update linux_binprm creds based on file
@@ -1076,10 +1035,6 @@  int security_bprm_creds_for_exec(struct linux_binprm *bprm)
  *
  * Return: Returns 0 if the hook is successful and permission is granted.
  */
-int security_bprm_creds_from_file(struct linux_binprm *bprm, const struct file *file)
-{
-	return call_int_hook(bprm_creds_from_file, 0, bprm, file);
-}
 
 /**
  * security_bprm_check() - Mediate binary handler search
@@ -1115,10 +1070,6 @@  int security_bprm_check(struct linux_binprm *bprm)
  * open file descriptors to which access will no longer be granted when the
  * attributes are changed.  This is called immediately before commit_creds().
  */
-void security_bprm_committing_creds(const struct linux_binprm *bprm)
-{
-	call_void_hook(bprm_committing_creds, bprm);
-}
 
 /**
  * security_bprm_committed_creds() - Tidy up after cred install during exec()
@@ -1131,10 +1082,6 @@  void security_bprm_committing_creds(const struct linux_binprm *bprm)
  * process such as clearing out non-inheritable signal state.  This is called
  * immediately after commit_creds().
  */
-void security_bprm_committed_creds(const struct linux_binprm *bprm)
-{
-	call_void_hook(bprm_committed_creds, bprm);
-}
 
 /**
  * security_fs_context_submount() - Initialise fc->security
@@ -1145,10 +1092,6 @@  void security_bprm_committed_creds(const struct linux_binprm *bprm)
  *
  * Return: Returns 0 on success or negative error code on failure.
  */
-int security_fs_context_submount(struct fs_context *fc, struct super_block *reference)
-{
-	return call_int_hook(fs_context_submount, 0, fc, reference);
-}
 
 /**
  * security_fs_context_dup() - Duplicate a fs_context LSM blob
@@ -1161,10 +1104,6 @@  int security_fs_context_submount(struct fs_context *fc, struct super_block *refe
  *
  * Return: Returns 0 on success or a negative error code on failure.
  */
-int security_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc)
-{
-	return call_int_hook(fs_context_dup, 0, fc, src_fc);
-}
 
 /**
  * security_fs_context_parse_param() - Configure a filesystem context
@@ -1225,10 +1164,6 @@  int security_sb_alloc(struct super_block *sb)
  * Release objects tied to a superblock (e.g. inodes).  @sb contains the
  * super_block structure being released.
  */
-void security_sb_delete(struct super_block *sb)
-{
-	call_void_hook(sb_delete, sb);
-}
 
 /**
  * security_sb_free() - Free a super_block LSM blob
@@ -1268,10 +1203,6 @@  EXPORT_SYMBOL(security_free_mnt_opts);
  *
  * Return: Returns 0 on success, negative values on failure.
  */
-int security_sb_eat_lsm_opts(char *options, void **mnt_opts)
-{
-	return call_int_hook(sb_eat_lsm_opts, 0, options, mnt_opts);
-}
 EXPORT_SYMBOL(security_sb_eat_lsm_opts);
 
 /**
@@ -1284,11 +1215,6 @@  EXPORT_SYMBOL(security_sb_eat_lsm_opts);
  *
  * Return: Returns 0 if options are compatible.
  */
-int security_sb_mnt_opts_compat(struct super_block *sb,
-				void *mnt_opts)
-{
-	return call_int_hook(sb_mnt_opts_compat, 0, sb, mnt_opts);
-}
 EXPORT_SYMBOL(security_sb_mnt_opts_compat);
 
 /**
@@ -1301,11 +1227,6 @@  EXPORT_SYMBOL(security_sb_mnt_opts_compat);
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_sb_remount(struct super_block *sb,
-			void *mnt_opts)
-{
-	return call_int_hook(sb_remount, 0, sb, mnt_opts);
-}
 EXPORT_SYMBOL(security_sb_remount);
 
 /**
@@ -1316,10 +1237,6 @@  EXPORT_SYMBOL(security_sb_remount);
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_sb_kern_mount(const struct super_block *sb)
-{
-	return call_int_hook(sb_kern_mount, 0, sb);
-}
 
 /**
  * security_sb_show_options() - Output the mount options for a superblock
@@ -1330,10 +1247,6 @@  int security_sb_kern_mount(const struct super_block *sb)
  *
  * Return: Returns 0 on success, negative values on failure.
  */
-int security_sb_show_options(struct seq_file *m, struct super_block *sb)
-{
-	return call_int_hook(sb_show_options, 0, m, sb);
-}
 
 /**
  * security_sb_statfs() - Check if accessing fs stats is allowed
@@ -1344,10 +1257,6 @@  int security_sb_show_options(struct seq_file *m, struct super_block *sb)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_sb_statfs(struct dentry *dentry)
-{
-	return call_int_hook(sb_statfs, 0, dentry);
-}
 
 /**
  * security_sb_mount() - Check permission for mounting a filesystem
@@ -1366,11 +1275,6 @@  int security_sb_statfs(struct dentry *dentry)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_sb_mount(const char *dev_name, const struct path *path,
-		      const char *type, unsigned long flags, void *data)
-{
-	return call_int_hook(sb_mount, 0, dev_name, path, type, flags, data);
-}
 
 /**
  * security_sb_umount() - Check permission for unmounting a filesystem
@@ -1381,10 +1285,6 @@  int security_sb_mount(const char *dev_name, const struct path *path,
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_sb_umount(struct vfsmount *mnt, int flags)
-{
-	return call_int_hook(sb_umount, 0, mnt, flags);
-}
 
 /**
  * security_sb_pivotroot() - Check permissions for pivoting the rootfs
@@ -1395,11 +1295,6 @@  int security_sb_umount(struct vfsmount *mnt, int flags)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_sb_pivotroot(const struct path *old_path,
-			  const struct path *new_path)
-{
-	return call_int_hook(sb_pivotroot, 0, old_path, new_path);
-}
 
 /**
  * security_sb_set_mnt_opts() - Set the mount options for a filesystem
@@ -1434,14 +1329,6 @@  EXPORT_SYMBOL(security_sb_set_mnt_opts);
  *
  * Return: Returns 0 on success, error on failure.
  */
-int security_sb_clone_mnt_opts(const struct super_block *oldsb,
-			       struct super_block *newsb,
-			       unsigned long kern_flags,
-			       unsigned long *set_kern_flags)
-{
-	return call_int_hook(sb_clone_mnt_opts, 0, oldsb, newsb,
-			     kern_flags, set_kern_flags);
-}
 EXPORT_SYMBOL(security_sb_clone_mnt_opts);
 
 /**
@@ -1453,11 +1340,6 @@  EXPORT_SYMBOL(security_sb_clone_mnt_opts);
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_move_mount(const struct path *from_path,
-			const struct path *to_path)
-{
-	return call_int_hook(move_mount, 0, from_path, to_path);
-}
 
 /**
  * security_path_notify() - Check if setting a watch is allowed
@@ -1470,11 +1352,6 @@  int security_move_mount(const struct path *from_path,
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_path_notify(const struct path *path, u64 mask,
-			 unsigned int obj_type)
-{
-	return call_int_hook(path_notify, 0, path, mask, obj_type);
-}
 
 /**
  * security_inode_alloc() - Allocate an inode LSM blob
@@ -1545,26 +1422,6 @@  void security_inode_free(struct inode *inode)
  *
  * Return: Returns 0 on success, negative values on failure.
  */
-int security_dentry_init_security(struct dentry *dentry, int mode,
-				  const struct qstr *name,
-				  const char **xattr_name, void **ctx,
-				  u32 *ctxlen)
-{
-	struct security_hook_list *hp;
-	int rc;
-
-	/*
-	 * Only one module will provide a security context.
-	 */
-	hlist_for_each_entry(hp, &security_hook_heads.dentry_init_security,
-			     list) {
-		rc = hp->hook.dentry_init_security(dentry, mode, name,
-						   xattr_name, ctx, ctxlen);
-		if (rc != LSM_RET_DEFAULT(dentry_init_security))
-			return rc;
-	}
-	return LSM_RET_DEFAULT(dentry_init_security);
-}
 EXPORT_SYMBOL(security_dentry_init_security);
 
 /**
@@ -1582,13 +1439,6 @@  EXPORT_SYMBOL(security_dentry_init_security);
  *
  * Return: Returns 0 on success, error on failure.
  */
-int security_dentry_create_files_as(struct dentry *dentry, int mode,
-				    struct qstr *name,
-				    const struct cred *old, struct cred *new)
-{
-	return call_int_hook(dentry_create_files_as, 0, dentry, mode,
-			     name, old, new);
-}
 EXPORT_SYMBOL(security_dentry_create_files_as);
 
 /**
@@ -1683,13 +1533,6 @@  EXPORT_SYMBOL(security_inode_init_security);
  * Return: Returns 0 on success, -EACCES if the security module denies the
  * creation of this inode, or another -errno upon other errors.
  */
-int security_inode_init_security_anon(struct inode *inode,
-				      const struct qstr *name,
-				      const struct inode *context_inode)
-{
-	return call_int_hook(inode_init_security_anon, 0, inode, name,
-			     context_inode);
-}
 
 #ifdef CONFIG_SECURITY_PATH
 /**
@@ -1887,10 +1730,6 @@  int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_path_chroot(const struct path *path)
-{
-	return call_int_hook(path_chroot, 0, path);
-}
 #endif /* CONFIG_SECURITY_PATH */
 
 /**
@@ -2360,10 +2199,6 @@  int security_inode_removexattr(struct mnt_idmap *idmap,
  *         security_inode_killpriv() does not need to be called, return >0 if
  *         security_inode_killpriv() does need to be called.
  */
-int security_inode_need_killpriv(struct dentry *dentry)
-{
-	return call_int_hook(inode_need_killpriv, 0, dentry);
-}
 
 /**
  * security_inode_killpriv() - The setuid bit is removed, update LSM state
@@ -2376,11 +2211,6 @@  int security_inode_need_killpriv(struct dentry *dentry)
  * Return: Return 0 on success.  If error is returned, then the operation
  *         causing setuid bit removal is failed.
  */
-int security_inode_killpriv(struct mnt_idmap *idmap,
-			    struct dentry *dentry)
-{
-	return call_int_hook(inode_killpriv, 0, idmap, dentry);
-}
 
 /**
  * security_inode_getsecurity() - Get the xattr security label of an inode
@@ -2484,10 +2314,6 @@  EXPORT_SYMBOL(security_inode_listsecurity);
  * Get the secid associated with the node.  In case of failure, @secid will be
  * set to zero.
  */
-void security_inode_getsecid(struct inode *inode, u32 *secid)
-{
-	call_void_hook(inode_getsecid, inode, secid);
-}
 
 /**
  * security_inode_copy_up() - Create new creds for an overlayfs copy-up op
@@ -2501,10 +2327,6 @@  void security_inode_getsecid(struct inode *inode, u32 *secid)
  *
  * Return: Returns 0 on success or a negative error code on error.
  */
-int security_inode_copy_up(struct dentry *src, struct cred **new)
-{
-	return call_int_hook(inode_copy_up, 0, src, new);
-}
 EXPORT_SYMBOL(security_inode_copy_up);
 
 /**
@@ -2550,11 +2372,6 @@  EXPORT_SYMBOL(security_inode_copy_up_xattr);
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_kernfs_init_security(struct kernfs_node *kn_dir,
-				  struct kernfs_node *kn)
-{
-	return call_int_hook(kernfs_init_security, 0, kn_dir, kn);
-}
 
 /**
  * security_file_permission() - Check file permissions
@@ -2639,10 +2456,6 @@  void security_file_free(struct file *file)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
-{
-	return call_int_hook(file_ioctl, 0, file, cmd, arg);
-}
 EXPORT_SYMBOL_GPL(security_file_ioctl);
 
 static inline unsigned long mmap_prot(struct file *file, unsigned long prot)
@@ -2709,10 +2522,6 @@  int security_mmap_file(struct file *file, unsigned long prot,
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_mmap_addr(unsigned long addr)
-{
-	return call_int_hook(mmap_addr, 0, addr);
-}
 
 /**
  * security_file_mprotect() - Check if changing memory protections is allowed
@@ -2745,10 +2554,6 @@  int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_file_lock(struct file *file, unsigned int cmd)
-{
-	return call_int_hook(file_lock, 0, file, cmd);
-}
 
 /**
  * security_file_fcntl() - Check if fcntl() op is allowed
@@ -2764,10 +2569,6 @@  int security_file_lock(struct file *file, unsigned int cmd)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
-{
-	return call_int_hook(file_fcntl, 0, file, cmd, arg);
-}
 
 /**
  * security_file_set_fowner() - Set the file owner info in the LSM blob
@@ -2778,10 +2579,6 @@  int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
  *
  * Return: Returns 0 on success.
  */
-void security_file_set_fowner(struct file *file)
-{
-	call_void_hook(file_set_fowner, file);
-}
 
 /**
  * security_file_send_sigiotask() - Check if sending SIGIO/SIGURG is allowed
@@ -2797,11 +2594,6 @@  void security_file_set_fowner(struct file *file)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_file_send_sigiotask(struct task_struct *tsk,
-				 struct fown_struct *fown, int sig)
-{
-	return call_int_hook(file_send_sigiotask, 0, tsk, fown, sig);
-}
 
 /**
  * security_file_receive() - Check is receiving a file via IPC is allowed
@@ -2812,10 +2604,6 @@  int security_file_send_sigiotask(struct task_struct *tsk,
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_file_receive(struct file *file)
-{
-	return call_int_hook(file_receive, 0, file);
-}
 
 /**
  * security_file_open() - Save open() time state for late use by the LSM
@@ -2847,10 +2635,6 @@  int security_file_open(struct file *file)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_file_truncate(struct file *file)
-{
-	return call_int_hook(file_truncate, 0, file);
-}
 
 /**
  * security_task_alloc() - Allocate a task's LSM blob
@@ -2992,10 +2776,6 @@  EXPORT_SYMBOL(security_cred_getsecid);
  *
  * Return: Returns 0 if successful.
  */
-int security_kernel_act_as(struct cred *new, u32 secid)
-{
-	return call_int_hook(kernel_act_as, 0, new, secid);
-}
 
 /**
  * security_kernel_create_files_as() - Set file creation context using an inode
@@ -3008,10 +2788,6 @@  int security_kernel_act_as(struct cred *new, u32 secid)
  *
  * Return: Returns 0 if successful.
  */
-int security_kernel_create_files_as(struct cred *new, struct inode *inode)
-{
-	return call_int_hook(kernel_create_files_as, 0, new, inode);
-}
 
 /**
  * security_kernel_module_request() - Check is loading a module is allowed
@@ -3141,11 +2917,6 @@  EXPORT_SYMBOL_GPL(security_kernel_post_load_data);
  *
  * Return: Returns 0 on success.
  */
-int security_task_fix_setuid(struct cred *new, const struct cred *old,
-			     int flags)
-{
-	return call_int_hook(task_fix_setuid, 0, new, old, flags);
-}
 
 /**
  * security_task_fix_setgid() - Update LSM with new group id attributes
@@ -3161,11 +2932,6 @@  int security_task_fix_setuid(struct cred *new, const struct cred *old,
  *
  * Return: Returns 0 on success.
  */
-int security_task_fix_setgid(struct cred *new, const struct cred *old,
-			     int flags)
-{
-	return call_int_hook(task_fix_setgid, 0, new, old, flags);
-}
 
 /**
  * security_task_fix_setgroups() - Update LSM with new supplementary groups
@@ -3179,10 +2945,6 @@  int security_task_fix_setgid(struct cred *new, const struct cred *old,
  *
  * Return: Returns 0 on success.
  */
-int security_task_fix_setgroups(struct cred *new, const struct cred *old)
-{
-	return call_int_hook(task_fix_setgroups, 0, new, old);
-}
 
 /**
  * security_task_setpgid() - Check if setting the pgid is allowed
@@ -3194,10 +2956,6 @@  int security_task_fix_setgroups(struct cred *new, const struct cred *old)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_task_setpgid(struct task_struct *p, pid_t pgid)
-{
-	return call_int_hook(task_setpgid, 0, p, pgid);
-}
 
 /**
  * security_task_getpgid() - Check if getting the pgid is allowed
@@ -3208,10 +2966,6 @@  int security_task_setpgid(struct task_struct *p, pid_t pgid)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_task_getpgid(struct task_struct *p)
-{
-	return call_int_hook(task_getpgid, 0, p);
-}
 
 /**
  * security_task_getsid() - Check if getting the session id is allowed
@@ -3221,10 +2975,6 @@  int security_task_getpgid(struct task_struct *p)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_task_getsid(struct task_struct *p)
-{
-	return call_int_hook(task_getsid, 0, p);
-}
 
 /**
  * security_current_getsecid_subj() - Get the current task's subjective secid
@@ -3264,10 +3014,6 @@  EXPORT_SYMBOL(security_task_getsecid_obj);
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_task_setnice(struct task_struct *p, int nice)
-{
-	return call_int_hook(task_setnice, 0, p, nice);
-}
 
 /**
  * security_task_setioprio() - Check if setting a task's ioprio is allowed
@@ -3278,10 +3024,6 @@  int security_task_setnice(struct task_struct *p, int nice)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_task_setioprio(struct task_struct *p, int ioprio)
-{
-	return call_int_hook(task_setioprio, 0, p, ioprio);
-}
 
 /**
  * security_task_getioprio() - Check if getting a task's ioprio is allowed
@@ -3291,10 +3033,6 @@  int security_task_setioprio(struct task_struct *p, int ioprio)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_task_getioprio(struct task_struct *p)
-{
-	return call_int_hook(task_getioprio, 0, p);
-}
 
 /**
  * security_task_prlimit() - Check if get/setting resources limits is allowed
@@ -3307,11 +3045,6 @@  int security_task_getioprio(struct task_struct *p)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_task_prlimit(const struct cred *cred, const struct cred *tcred,
-			  unsigned int flags)
-{
-	return call_int_hook(task_prlimit, 0, cred, tcred, flags);
-}
 
 /**
  * security_task_setrlimit() - Check if setting a new rlimit value is allowed
@@ -3325,11 +3058,6 @@  int security_task_prlimit(const struct cred *cred, const struct cred *tcred,
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_task_setrlimit(struct task_struct *p, unsigned int resource,
-			    struct rlimit *new_rlim)
-{
-	return call_int_hook(task_setrlimit, 0, p, resource, new_rlim);
-}
 
 /**
  * security_task_setscheduler() - Check if setting sched policy/param is allowed
@@ -3340,10 +3068,6 @@  int security_task_setrlimit(struct task_struct *p, unsigned int resource,
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_task_setscheduler(struct task_struct *p)
-{
-	return call_int_hook(task_setscheduler, 0, p);
-}
 
 /**
  * security_task_getscheduler() - Check if getting scheduling info is allowed
@@ -3353,10 +3077,6 @@  int security_task_setscheduler(struct task_struct *p)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_task_getscheduler(struct task_struct *p)
-{
-	return call_int_hook(task_getscheduler, 0, p);
-}
 
 /**
  * security_task_movememory() - Check if moving memory is allowed
@@ -3366,10 +3086,6 @@  int security_task_getscheduler(struct task_struct *p)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_task_movememory(struct task_struct *p)
-{
-	return call_int_hook(task_movememory, 0, p);
-}
 
 /**
  * security_task_kill() - Check if sending a signal is allowed
@@ -3386,11 +3102,6 @@  int security_task_movememory(struct task_struct *p)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_task_kill(struct task_struct *p, struct kernel_siginfo *info,
-		       int sig, const struct cred *cred)
-{
-	return call_int_hook(task_kill, 0, p, info, sig, cred);
-}
 
 /**
  * security_task_prctl() - Check if a prctl op is allowed
@@ -3432,10 +3143,6 @@  int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
  * Set the security attributes for an inode based on an associated task's
  * security attributes, e.g. for /proc/pid inodes.
  */
-void security_task_to_inode(struct task_struct *p, struct inode *inode)
-{
-	call_void_hook(task_to_inode, p, inode);
-}
 
 /**
  * security_create_user_ns() - Check if creating a new userns is allowed
@@ -3459,10 +3166,6 @@  int security_create_user_ns(const struct cred *cred)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
-{
-	return call_int_hook(ipc_permission, 0, ipcp, flag);
-}
 
 /**
  * security_ipc_getsecid() - Get the sysv ipc object's secid
@@ -3557,10 +3260,6 @@  void security_msg_queue_free(struct kern_ipc_perm *msq)
  *
  * Return: Return 0 if permission is granted.
  */
-int security_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
-{
-	return call_int_hook(msg_queue_associate, 0, msq, msqflg);
-}
 
 /**
  * security_msg_queue_msgctl() - Check if a msg queue operation is allowed
@@ -3572,10 +3271,6 @@  int security_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
-{
-	return call_int_hook(msg_queue_msgctl, 0, msq, cmd);
-}
 
 /**
  * security_msg_queue_msgsnd() - Check if sending a sysv ipc message is allowed
@@ -3588,11 +3283,6 @@  int security_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_msg_queue_msgsnd(struct kern_ipc_perm *msq,
-			      struct msg_msg *msg, int msqflg)
-{
-	return call_int_hook(msg_queue_msgsnd, 0, msq, msg, msqflg);
-}
 
 /**
  * security_msg_queue_msgrcv() - Check if receiving a sysv ipc msg is allowed
@@ -3609,11 +3299,6 @@  int security_msg_queue_msgsnd(struct kern_ipc_perm *msq,
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
-			      struct task_struct *target, long type, int mode)
-{
-	return call_int_hook(msg_queue_msgrcv, 0, msq, msg, target, type, mode);
-}
 
 /**
  * security_shm_alloc() - Allocate a sysv shm LSM blob
@@ -3661,10 +3346,6 @@  void security_shm_free(struct kern_ipc_perm *shp)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_shm_associate(struct kern_ipc_perm *shp, int shmflg)
-{
-	return call_int_hook(shm_associate, 0, shp, shmflg);
-}
 
 /**
  * security_shm_shmctl() - Check if a sysv shm operation is allowed
@@ -3676,10 +3357,6 @@  int security_shm_associate(struct kern_ipc_perm *shp, int shmflg)
  *
  * Return: Return 0 if permission is granted.
  */
-int security_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
-{
-	return call_int_hook(shm_shmctl, 0, shp, cmd);
-}
 
 /**
  * security_shm_shmat() - Check if a sysv shm attach operation is allowed
@@ -3693,11 +3370,6 @@  int security_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_shm_shmat(struct kern_ipc_perm *shp,
-		       char __user *shmaddr, int shmflg)
-{
-	return call_int_hook(shm_shmat, 0, shp, shmaddr, shmflg);
-}
 
 /**
  * security_sem_alloc() - Allocate a sysv semaphore LSM blob
@@ -3744,10 +3416,6 @@  void security_sem_free(struct kern_ipc_perm *sma)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_sem_associate(struct kern_ipc_perm *sma, int semflg)
-{
-	return call_int_hook(sem_associate, 0, sma, semflg);
-}
 
 /**
  * security_sem_semctl() - Check if a sysv semaphore operation is allowed
@@ -3759,10 +3427,6 @@  int security_sem_associate(struct kern_ipc_perm *sma, int semflg)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_sem_semctl(struct kern_ipc_perm *sma, int cmd)
-{
-	return call_int_hook(sem_semctl, 0, sma, cmd);
-}
 
 /**
  * security_sem_semop() - Check if a sysv semaphore operation is allowed
@@ -3776,11 +3440,6 @@  int security_sem_semctl(struct kern_ipc_perm *sma, int cmd)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_sem_semop(struct kern_ipc_perm *sma, struct sembuf *sops,
-		       unsigned nsops, int alter)
-{
-	return call_int_hook(sem_semop, 0, sma, sops, nsops, alter);
-}
 
 /**
  * security_d_instantiate() - Populate an inode's LSM state based on a dentry
@@ -3859,10 +3518,6 @@  int security_setprocattr(const char *lsm, const char *name, void *value,
  * Return: Returns 0 if the information was successfully saved and message is
  *         allowed to be transmitted.
  */
-int security_netlink_send(struct sock *sk, struct sk_buff *skb)
-{
-	return call_int_hook(netlink_send, 0, sk, skb);
-}
 
 /**
  * security_ismaclabel() - Check is the named attribute is a MAC label
@@ -3872,10 +3527,6 @@  int security_netlink_send(struct sock *sk, struct sk_buff *skb)
  *
  * Return: Returns 1 if name is a MAC attribute otherwise returns 0.
  */
-int security_ismaclabel(const char *name)
-{
-	return call_int_hook(ismaclabel, 0, name);
-}
 EXPORT_SYMBOL(security_ismaclabel);
 
 /**
@@ -3891,23 +3542,6 @@  EXPORT_SYMBOL(security_ismaclabel);
  *
  * Return: Return 0 on success, error on failure.
  */
-int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
-{
-	struct security_hook_list *hp;
-	int rc;
-
-	/*
-	 * Currently, only one LSM can implement secid_to_secctx (i.e this
-	 * LSM hook is not "stackable").
-	 */
-	hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) {
-		rc = hp->hook.secid_to_secctx(secid, secdata, seclen);
-		if (rc != LSM_RET_DEFAULT(secid_to_secctx))
-			return rc;
-	}
-
-	return LSM_RET_DEFAULT(secid_to_secctx);
-}
 EXPORT_SYMBOL(security_secid_to_secctx);
 
 /**
@@ -3968,10 +3602,6 @@  EXPORT_SYMBOL(security_inode_invalidate_secctx);
  *
  * Return: Returns 0 on success, error on failure.
  */
-int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
-{
-	return call_int_hook(inode_notifysecctx, 0, inode, ctx, ctxlen);
-}
 EXPORT_SYMBOL(security_inode_notifysecctx);
 
 /**
@@ -3990,10 +3620,6 @@  EXPORT_SYMBOL(security_inode_notifysecctx);
  *
  * Return: Returns 0 on success, error on failure.
  */
-int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
-{
-	return call_int_hook(inode_setsecctx, 0, dentry, ctx, ctxlen);
-}
 EXPORT_SYMBOL(security_inode_setsecctx);
 
 /**
@@ -4024,12 +3650,6 @@  EXPORT_SYMBOL(security_inode_getsecctx);
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_post_notification(const struct cred *w_cred,
-			       const struct cred *cred,
-			       struct watch_notification *n)
-{
-	return call_int_hook(post_notification, 0, w_cred, cred, n);
-}
 #endif /* CONFIG_WATCH_QUEUE */
 
 #ifdef CONFIG_KEY_NOTIFICATIONS
@@ -4042,10 +3662,6 @@  int security_post_notification(const struct cred *w_cred,
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_watch_key(struct key *key)
-{
-	return call_int_hook(watch_key, 0, key);
-}
 #endif /* CONFIG_KEY_NOTIFICATIONS */
 
 #ifdef CONFIG_SECURITY_NETWORK
@@ -4070,11 +3686,6 @@  int security_watch_key(struct key *key)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_unix_stream_connect(struct sock *sock, struct sock *other,
-				 struct sock *newsk)
-{
-	return call_int_hook(unix_stream_connect, 0, sock, other, newsk);
-}
 EXPORT_SYMBOL(security_unix_stream_connect);
 
 /**
@@ -4097,10 +3708,6 @@  EXPORT_SYMBOL(security_unix_stream_connect);
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_unix_may_send(struct socket *sock,  struct socket *other)
-{
-	return call_int_hook(unix_may_send, 0, sock, other);
-}
 EXPORT_SYMBOL(security_unix_may_send);
 
 /**
@@ -4114,10 +3721,6 @@  EXPORT_SYMBOL(security_unix_may_send);
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_socket_create(int family, int type, int protocol, int kern)
-{
-	return call_int_hook(socket_create, 0, family, type, protocol, kern);
-}
 
 /**
  * security_socket_post_create() - Initialize a newly created socket
@@ -4137,12 +3740,6 @@  int security_socket_create(int family, int type, int protocol, int kern)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_socket_post_create(struct socket *sock, int family,
-				int type, int protocol, int kern)
-{
-	return call_int_hook(socket_post_create, 0, sock, family, type,
-			     protocol, kern);
-}
 
 /**
  * security_socket_socketpair() - Check if creating a socketpair is allowed
@@ -4154,10 +3751,6 @@  int security_socket_post_create(struct socket *sock, int family,
  * Return: Returns 0 if permission is granted and the connection was
  *         established.
  */
-int security_socket_socketpair(struct socket *socka, struct socket *sockb)
-{
-	return call_int_hook(socket_socketpair, 0, socka, sockb);
-}
 EXPORT_SYMBOL(security_socket_socketpair);
 
 /**
@@ -4172,11 +3765,6 @@  EXPORT_SYMBOL(security_socket_socketpair);
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_socket_bind(struct socket *sock,
-			 struct sockaddr *address, int addrlen)
-{
-	return call_int_hook(socket_bind, 0, sock, address, addrlen);
-}
 
 /**
  * security_socket_connect() - Check if a socket connect operation is allowed
@@ -4189,11 +3777,6 @@  int security_socket_bind(struct socket *sock,
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_socket_connect(struct socket *sock,
-			    struct sockaddr *address, int addrlen)
-{
-	return call_int_hook(socket_connect, 0, sock, address, addrlen);
-}
 
 /**
  * security_socket_listen() - Check if a socket is allowed to listen
@@ -4204,10 +3787,6 @@  int security_socket_connect(struct socket *sock,
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_socket_listen(struct socket *sock, int backlog)
-{
-	return call_int_hook(socket_listen, 0, sock, backlog);
-}
 
 /**
  * security_socket_accept() - Check if a socket is allowed to accept connections
@@ -4220,10 +3799,6 @@  int security_socket_listen(struct socket *sock, int backlog)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_socket_accept(struct socket *sock, struct socket *newsock)
-{
-	return call_int_hook(socket_accept, 0, sock, newsock);
-}
 
 /**
  * security_socket_sendmsg() - Check is sending a message is allowed
@@ -4235,10 +3810,6 @@  int security_socket_accept(struct socket *sock, struct socket *newsock)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
-{
-	return call_int_hook(socket_sendmsg, 0, sock, msg, size);
-}
 
 /**
  * security_socket_recvmsg() - Check if receiving a message is allowed
@@ -4251,11 +3822,6 @@  int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_socket_recvmsg(struct socket *sock, struct msghdr *msg,
-			    int size, int flags)
-{
-	return call_int_hook(socket_recvmsg, 0, sock, msg, size, flags);
-}
 
 /**
  * security_socket_getsockname() - Check if reading the socket addr is allowed
@@ -4266,10 +3832,6 @@  int security_socket_recvmsg(struct socket *sock, struct msghdr *msg,
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_socket_getsockname(struct socket *sock)
-{
-	return call_int_hook(socket_getsockname, 0, sock);
-}
 
 /**
  * security_socket_getpeername() - Check if reading the peer's addr is allowed
@@ -4279,10 +3841,6 @@  int security_socket_getsockname(struct socket *sock)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_socket_getpeername(struct socket *sock)
-{
-	return call_int_hook(socket_getpeername, 0, sock);
-}
 
 /**
  * security_socket_getsockopt() - Check if reading a socket option is allowed
@@ -4295,10 +3853,6 @@  int security_socket_getpeername(struct socket *sock)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_socket_getsockopt(struct socket *sock, int level, int optname)
-{
-	return call_int_hook(socket_getsockopt, 0, sock, level, optname);
-}
 
 /**
  * security_socket_setsockopt() - Check if setting a socket option is allowed
@@ -4310,10 +3864,6 @@  int security_socket_getsockopt(struct socket *sock, int level, int optname)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_socket_setsockopt(struct socket *sock, int level, int optname)
-{
-	return call_int_hook(socket_setsockopt, 0, sock, level, optname);
-}
 
 /**
  * security_socket_shutdown() - Checks if shutting down the socket is allowed
@@ -4325,10 +3875,6 @@  int security_socket_setsockopt(struct socket *sock, int level, int optname)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_socket_shutdown(struct socket *sock, int how)
-{
-	return call_int_hook(socket_shutdown, 0, sock, how);
-}
 
 /**
  * security_sock_rcv_skb() - Check if an incoming network packet is allowed
@@ -4452,11 +3998,6 @@  EXPORT_SYMBOL(security_sk_classify_flow);
  *
  * Sets @flic's secid to @req's secid.
  */
-void security_req_classify_flow(const struct request_sock *req,
-				struct flowi_common *flic)
-{
-	call_void_hook(req_classify_flow, req, flic);
-}
 EXPORT_SYMBOL(security_req_classify_flow);
 
 /**
@@ -4467,10 +4008,6 @@  EXPORT_SYMBOL(security_req_classify_flow);
  * Sets @parent's inode secid to @sk's secid and update @sk with any necessary
  * LSM state from @parent.
  */
-void security_sock_graft(struct sock *sk, struct socket *parent)
-{
-	call_void_hook(sock_graft, sk, parent);
-}
 EXPORT_SYMBOL(security_sock_graft);
 
 /**
@@ -4483,11 +4020,6 @@  EXPORT_SYMBOL(security_sock_graft);
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_inet_conn_request(const struct sock *sk,
-			       struct sk_buff *skb, struct request_sock *req)
-{
-	return call_int_hook(inet_conn_request, 0, sk, skb, req);
-}
 EXPORT_SYMBOL(security_inet_conn_request);
 
 /**
@@ -4497,11 +4029,6 @@  EXPORT_SYMBOL(security_inet_conn_request);
  *
  * Set that LSM state of @sock using the LSM state from @req.
  */
-void security_inet_csk_clone(struct sock *newsk,
-			     const struct request_sock *req)
-{
-	call_void_hook(inet_csk_clone, newsk, req);
-}
 
 /**
  * security_inet_conn_established() - Update sock's LSM state with connection
@@ -4510,11 +4037,6 @@  void security_inet_csk_clone(struct sock *newsk,
  *
  * Update @sock's LSM state to represent a new connection from @skb.
  */
-void security_inet_conn_established(struct sock *sk,
-				    struct sk_buff *skb)
-{
-	call_void_hook(inet_conn_established, sk, skb);
-}
 EXPORT_SYMBOL(security_inet_conn_established);
 
 /**
@@ -4525,10 +4047,6 @@  EXPORT_SYMBOL(security_inet_conn_established);
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_secmark_relabel_packet(u32 secid)
-{
-	return call_int_hook(secmark_relabel_packet, 0, secid);
-}
 EXPORT_SYMBOL(security_secmark_relabel_packet);
 
 /**
@@ -4536,10 +4054,6 @@  EXPORT_SYMBOL(security_secmark_relabel_packet);
  *
  * Tells the LSM to increment the number of secmark labeling rules loaded.
  */
-void security_secmark_refcount_inc(void)
-{
-	call_void_hook(secmark_refcount_inc);
-}
 EXPORT_SYMBOL(security_secmark_refcount_inc);
 
 /**
@@ -4547,10 +4061,6 @@  EXPORT_SYMBOL(security_secmark_refcount_inc);
  *
  * Tells the LSM to decrement the number of secmark labeling rules loaded.
  */
-void security_secmark_refcount_dec(void)
-{
-	call_void_hook(secmark_refcount_dec);
-}
 EXPORT_SYMBOL(security_secmark_refcount_dec);
 
 /**
@@ -4562,10 +4072,6 @@  EXPORT_SYMBOL(security_secmark_refcount_dec);
  *
  * Return: Returns a zero on success, negative values on failure.
  */
-int security_tun_dev_alloc_security(void **security)
-{
-	return call_int_hook(tun_dev_alloc_security, 0, security);
-}
 EXPORT_SYMBOL(security_tun_dev_alloc_security);
 
 /**
@@ -4574,10 +4080,6 @@  EXPORT_SYMBOL(security_tun_dev_alloc_security);
  *
  * This hook allows a module to free the security structure for a TUN device.
  */
-void security_tun_dev_free_security(void *security)
-{
-	call_void_hook(tun_dev_free_security, security);
-}
 EXPORT_SYMBOL(security_tun_dev_free_security);
 
 /**
@@ -4587,10 +4089,6 @@  EXPORT_SYMBOL(security_tun_dev_free_security);
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_tun_dev_create(void)
-{
-	return call_int_hook(tun_dev_create, 0);
-}
 EXPORT_SYMBOL(security_tun_dev_create);
 
 /**
@@ -4601,10 +4099,6 @@  EXPORT_SYMBOL(security_tun_dev_create);
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_tun_dev_attach_queue(void *security)
-{
-	return call_int_hook(tun_dev_attach_queue, 0, security);
-}
 EXPORT_SYMBOL(security_tun_dev_attach_queue);
 
 /**
@@ -4617,10 +4111,6 @@  EXPORT_SYMBOL(security_tun_dev_attach_queue);
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_tun_dev_attach(struct sock *sk, void *security)
-{
-	return call_int_hook(tun_dev_attach, 0, sk, security);
-}
 EXPORT_SYMBOL(security_tun_dev_attach);
 
 /**
@@ -4632,10 +4122,6 @@  EXPORT_SYMBOL(security_tun_dev_attach);
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_tun_dev_open(void *security)
-{
-	return call_int_hook(tun_dev_open, 0, security);
-}
 EXPORT_SYMBOL(security_tun_dev_open);
 
 /**
@@ -4647,11 +4133,6 @@  EXPORT_SYMBOL(security_tun_dev_open);
  *
  * Return: Returns 0 on success, error on failure.
  */
-int security_sctp_assoc_request(struct sctp_association *asoc,
-				struct sk_buff *skb)
-{
-	return call_int_hook(sctp_assoc_request, 0, asoc, skb);
-}
 EXPORT_SYMBOL(security_sctp_assoc_request);
 
 /**
@@ -4668,12 +4149,6 @@  EXPORT_SYMBOL(security_sctp_assoc_request);
  *
  * Return: Returns 0 on success, error on failure.
  */
-int security_sctp_bind_connect(struct sock *sk, int optname,
-			       struct sockaddr *address, int addrlen)
-{
-	return call_int_hook(sctp_bind_connect, 0, sk, optname,
-			     address, addrlen);
-}
 EXPORT_SYMBOL(security_sctp_bind_connect);
 
 /**
@@ -4686,11 +4161,6 @@  EXPORT_SYMBOL(security_sctp_bind_connect);
  * socket) or when a socket is 'peeled off' e.g userspace calls
  * sctp_peeloff(3).
  */
-void security_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
-			    struct sock *newsk)
-{
-	call_void_hook(sctp_sk_clone, asoc, sk, newsk);
-}
 EXPORT_SYMBOL(security_sctp_sk_clone);
 
 /**
@@ -4703,11 +4173,6 @@  EXPORT_SYMBOL(security_sctp_sk_clone);
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_sctp_assoc_established(struct sctp_association *asoc,
-				    struct sk_buff *skb)
-{
-	return call_int_hook(sctp_assoc_established, 0, asoc, skb);
-}
 EXPORT_SYMBOL(security_sctp_assoc_established);
 
 /**
@@ -4722,10 +4187,6 @@  EXPORT_SYMBOL(security_sctp_assoc_established);
  *
  * Return: Returns 0 on success or a negative error code on failure.
  */
-int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
-{
-	return call_int_hook(mptcp_add_subflow, 0, sk, ssk);
-}
 
 #endif	/* CONFIG_SECURITY_NETWORK */
 
@@ -4740,10 +4201,6 @@  int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_ib_pkey_access(void *sec, u64 subnet_prefix, u16 pkey)
-{
-	return call_int_hook(ib_pkey_access, 0, sec, subnet_prefix, pkey);
-}
 EXPORT_SYMBOL(security_ib_pkey_access);
 
 /**
@@ -4756,12 +4213,6 @@  EXPORT_SYMBOL(security_ib_pkey_access);
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_ib_endport_manage_subnet(void *sec,
-				      const char *dev_name, u8 port_num)
-{
-	return call_int_hook(ib_endport_manage_subnet, 0, sec,
-			     dev_name, port_num);
-}
 EXPORT_SYMBOL(security_ib_endport_manage_subnet);
 
 /**
@@ -4772,10 +4223,6 @@  EXPORT_SYMBOL(security_ib_endport_manage_subnet);
  *
  * Return: Returns 0 on success, non-zero on failure.
  */
-int security_ib_alloc_security(void **sec)
-{
-	return call_int_hook(ib_alloc_security, 0, sec);
-}
 EXPORT_SYMBOL(security_ib_alloc_security);
 
 /**
@@ -4784,10 +4231,6 @@  EXPORT_SYMBOL(security_ib_alloc_security);
  *
  * Deallocate an Infiniband security structure.
  */
-void security_ib_free_security(void *sec)
-{
-	call_void_hook(ib_free_security, sec);
-}
 EXPORT_SYMBOL(security_ib_free_security);
 #endif	/* CONFIG_SECURITY_INFINIBAND */
 
@@ -4803,12 +4246,6 @@  EXPORT_SYMBOL(security_ib_free_security);
  *
  * Return:  Return 0 if operation was successful.
  */
-int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
-			       struct xfrm_user_sec_ctx *sec_ctx,
-			       gfp_t gfp)
-{
-	return call_int_hook(xfrm_policy_alloc_security, 0, ctxp, sec_ctx, gfp);
-}
 EXPORT_SYMBOL(security_xfrm_policy_alloc);
 
 /**
@@ -4821,11 +4258,6 @@  EXPORT_SYMBOL(security_xfrm_policy_alloc);
  *
  * Return: Return 0 if operation was successful.
  */
-int security_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
-			       struct xfrm_sec_ctx **new_ctxp)
-{
-	return call_int_hook(xfrm_policy_clone_security, 0, old_ctx, new_ctxp);
-}
 
 /**
  * security_xfrm_policy_free() - Free a xfrm security context
@@ -4833,10 +4265,6 @@  int security_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
  *
  * Free LSM resources associated with @ctx.
  */
-void security_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
-{
-	call_void_hook(xfrm_policy_free_security, ctx);
-}
 EXPORT_SYMBOL(security_xfrm_policy_free);
 
 /**
@@ -4847,10 +4275,6 @@  EXPORT_SYMBOL(security_xfrm_policy_free);
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
-{
-	return call_int_hook(xfrm_policy_delete_security, 0, ctx);
-}
 
 /**
  * security_xfrm_state_alloc() - Allocate a xfrm state LSM blob
@@ -4863,11 +4287,6 @@  int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
  *
  * Return: Return 0 if operation was successful.
  */
-int security_xfrm_state_alloc(struct xfrm_state *x,
-			      struct xfrm_user_sec_ctx *sec_ctx)
-{
-	return call_int_hook(xfrm_state_alloc, 0, x, sec_ctx);
-}
 EXPORT_SYMBOL(security_xfrm_state_alloc);
 
 /**
@@ -4882,11 +4301,6 @@  EXPORT_SYMBOL(security_xfrm_state_alloc);
  *
  * Return: Returns 0 if operation was successful.
  */
-int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
-				      struct xfrm_sec_ctx *polsec, u32 secid)
-{
-	return call_int_hook(xfrm_state_alloc_acquire, 0, x, polsec, secid);
-}
 
 /**
  * security_xfrm_state_delete() - Check if deleting a xfrm state is allowed
@@ -4896,10 +4310,6 @@  int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_xfrm_state_delete(struct xfrm_state *x)
-{
-	return call_int_hook(xfrm_state_delete_security, 0, x);
-}
 EXPORT_SYMBOL(security_xfrm_state_delete);
 
 /**
@@ -4908,10 +4318,6 @@  EXPORT_SYMBOL(security_xfrm_state_delete);
  *
  * Deallocate x->security.
  */
-void security_xfrm_state_free(struct xfrm_state *x)
-{
-	call_void_hook(xfrm_state_free_security, x);
-}
 
 /**
  * security_xfrm_policy_lookup() - Check if using a xfrm policy is allowed
@@ -4925,10 +4331,6 @@  void security_xfrm_state_free(struct xfrm_state *x)
  * Return: Return 0 if permission is granted, -ESRCH otherwise, or -errno on
  *         other errors.
  */
-int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid)
-{
-	return call_int_hook(xfrm_policy_lookup, 0, ctx, fl_secid);
-}
 
 /**
  * security_xfrm_state_pol_flow_match() - Check for a xfrm match
@@ -4973,10 +4375,6 @@  int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
  *
  * Return: Return 0 if all xfrms used have the same secid.
  */
-int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
-{
-	return call_int_hook(xfrm_decode_session, 0, skb, secid, 1);
-}
 
 void security_skb_classify_flow(struct sk_buff *skb, struct flowi_common *flic)
 {
@@ -5000,11 +4398,6 @@  EXPORT_SYMBOL(security_skb_classify_flow);
  *
  * Return: Return 0 if permission is granted, -ve error otherwise.
  */
-int security_key_alloc(struct key *key, const struct cred *cred,
-		       unsigned long flags)
-{
-	return call_int_hook(key_alloc, 0, key, cred, flags);
-}
 
 /**
  * security_key_free() - Free a kernel key LSM blob
@@ -5012,10 +4405,6 @@  int security_key_alloc(struct key *key, const struct cred *cred,
  *
  * Notification of destruction; free security data.
  */
-void security_key_free(struct key *key)
-{
-	call_void_hook(key_free, key);
-}
 
 /**
  * security_key_permission() - Check if a kernel key operation is allowed
@@ -5027,11 +4416,6 @@  void security_key_free(struct key *key)
  *
  * Return: Return 0 if permission is granted, -ve error otherwise.
  */
-int security_key_permission(key_ref_t key_ref, const struct cred *cred,
-			    enum key_need_perm need_perm)
-{
-	return call_int_hook(key_permission, 0, key_ref, cred, need_perm);
-}
 
 /**
  * security_key_getsecurity() - Get the key's security label
@@ -5066,10 +4450,6 @@  int security_key_getsecurity(struct key *key, char **buffer)
  * Return: Return 0 if @lsmrule has been successfully set, -EINVAL in case of
  *         an invalid rule.
  */
-int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
-{
-	return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule);
-}
 
 /**
  * security_audit_rule_known() - Check if an audit rule contains LSM fields
@@ -5080,10 +4460,6 @@  int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
  *
  * Return: Returns 1 in case of relation found, 0 otherwise.
  */
-int security_audit_rule_known(struct audit_krule *krule)
-{
-	return call_int_hook(audit_rule_known, 0, krule);
-}
 
 /**
  * security_audit_rule_free() - Free an LSM audit rule struct
@@ -5092,10 +4468,6 @@  int security_audit_rule_known(struct audit_krule *krule)
  * Deallocate the LSM audit rule structure previously allocated by
  * audit_rule_init().
  */
-void security_audit_rule_free(void *lsmrule)
-{
-	call_void_hook(audit_rule_free, lsmrule);
-}
 
 /**
  * security_audit_rule_match() - Check if a label matches an audit rule
@@ -5110,10 +4482,6 @@  void security_audit_rule_free(void *lsmrule)
  * Return: Returns 1 if secid matches the rule, 0 if it does not, -ERRNO on
  *         failure.
  */
-int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
-{
-	return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule);
-}
 #endif /* CONFIG_AUDIT */
 
 #ifdef CONFIG_BPF_SYSCALL
@@ -5129,10 +4497,6 @@  int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_bpf(int cmd, union bpf_attr *attr, unsigned int size)
-{
-	return call_int_hook(bpf, 0, cmd, attr, size);
-}
 
 /**
  * security_bpf_map() - Check if access to a bpf map is allowed
@@ -5144,10 +4508,6 @@  int security_bpf(int cmd, union bpf_attr *attr, unsigned int size)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_bpf_map(struct bpf_map *map, fmode_t fmode)
-{
-	return call_int_hook(bpf_map, 0, map, fmode);
-}
 
 /**
  * security_bpf_prog() - Check if access to a bpf program is allowed
@@ -5158,10 +4518,6 @@  int security_bpf_map(struct bpf_map *map, fmode_t fmode)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_bpf_prog(struct bpf_prog *prog)
-{
-	return call_int_hook(bpf_prog, 0, prog);
-}
 
 /**
  * security_bpf_map_alloc() - Allocate a bpf map LSM blob
@@ -5171,10 +4527,6 @@  int security_bpf_prog(struct bpf_prog *prog)
  *
  * Return: Returns 0 on success, error on failure.
  */
-int security_bpf_map_alloc(struct bpf_map *map)
-{
-	return call_int_hook(bpf_map_alloc_security, 0, map);
-}
 
 /**
  * security_bpf_prog_alloc() - Allocate a bpf program LSM blob
@@ -5184,10 +4536,6 @@  int security_bpf_map_alloc(struct bpf_map *map)
  *
  * Return: Returns 0 on success, error on failure.
  */
-int security_bpf_prog_alloc(struct bpf_prog_aux *aux)
-{
-	return call_int_hook(bpf_prog_alloc_security, 0, aux);
-}
 
 /**
  * security_bpf_map_free() - Free a bpf map's LSM blob
@@ -5195,10 +4543,6 @@  int security_bpf_prog_alloc(struct bpf_prog_aux *aux)
  *
  * Clean up the security information stored inside bpf map.
  */
-void security_bpf_map_free(struct bpf_map *map)
-{
-	call_void_hook(bpf_map_free_security, map);
-}
 
 /**
  * security_bpf_prog_free() - Free a bpf program's LSM blob
@@ -5206,10 +4550,6 @@  void security_bpf_map_free(struct bpf_map *map)
  *
  * Clean up the security information stored inside bpf prog.
  */
-void security_bpf_prog_free(struct bpf_prog_aux *aux)
-{
-	call_void_hook(bpf_prog_free_security, aux);
-}
 #endif /* CONFIG_BPF_SYSCALL */
 
 /**
@@ -5221,10 +4561,6 @@  void security_bpf_prog_free(struct bpf_prog_aux *aux)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_locked_down(enum lockdown_reason what)
-{
-	return call_int_hook(locked_down, 0, what);
-}
 EXPORT_SYMBOL(security_locked_down);
 
 #ifdef CONFIG_PERF_EVENTS
@@ -5237,10 +4573,6 @@  EXPORT_SYMBOL(security_locked_down);
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_perf_event_open(struct perf_event_attr *attr, int type)
-{
-	return call_int_hook(perf_event_open, 0, attr, type);
-}
 
 /**
  * security_perf_event_alloc() - Allocate a perf event LSM blob
@@ -5250,10 +4582,6 @@  int security_perf_event_open(struct perf_event_attr *attr, int type)
  *
  * Return: Returns 0 on success, error on failure.
  */
-int security_perf_event_alloc(struct perf_event *event)
-{
-	return call_int_hook(perf_event_alloc, 0, event);
-}
 
 /**
  * security_perf_event_free() - Free a perf event LSM blob
@@ -5261,10 +4589,6 @@  int security_perf_event_alloc(struct perf_event *event)
  *
  * Release (free) perf_event security info.
  */
-void security_perf_event_free(struct perf_event *event)
-{
-	call_void_hook(perf_event_free, event);
-}
 
 /**
  * security_perf_event_read() - Check if reading a perf event label is allowed
@@ -5274,10 +4598,6 @@  void security_perf_event_free(struct perf_event *event)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_perf_event_read(struct perf_event *event)
-{
-	return call_int_hook(perf_event_read, 0, event);
-}
 
 /**
  * security_perf_event_write() - Check if writing a perf event label is allowed
@@ -5287,10 +4607,6 @@  int security_perf_event_read(struct perf_event *event)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_perf_event_write(struct perf_event *event)
-{
-	return call_int_hook(perf_event_write, 0, event);
-}
 #endif /* CONFIG_PERF_EVENTS */
 
 #ifdef CONFIG_IO_URING
@@ -5303,10 +4619,6 @@  int security_perf_event_write(struct perf_event *event)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_uring_override_creds(const struct cred *new)
-{
-	return call_int_hook(uring_override_creds, 0, new);
-}
 
 /**
  * security_uring_sqpoll() - Check if IORING_SETUP_SQPOLL is allowed
@@ -5316,10 +4628,6 @@  int security_uring_override_creds(const struct cred *new)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_uring_sqpoll(void)
-{
-	return call_int_hook(uring_sqpoll, 0);
-}
 
 /**
  * security_uring_cmd() - Check if a io_uring passthrough command is allowed
@@ -5329,8 +4637,4 @@  int security_uring_sqpoll(void)
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_uring_cmd(struct io_uring_cmd *ioucmd)
-{
-	return call_int_hook(uring_cmd, 0, ioucmd);
-}
 #endif /* CONFIG_IO_URING */