apparmor: move initcalls to the LSM framework

pcmoore · pcmoore · commit 7cbe11353751 · 2025-10-22T19:24:27.000-04:00
Reviewed-by: Kees Cook &lt;kees@kernel.org&gt;
Acked-by: John Johansen &lt;john.johansen@canonical.com&gt;
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
@@ -2649,7 +2649,7 @@ static const struct inode_operations policy_link_iops = {
  *
  * Returns: error on failure
  */
-static int __init aa_create_aafs(void)
+int __init aa_create_aafs(void)
 {
 	struct dentry *dent;
 	int error;
@@ -2728,5 +2728,3 @@ static int __init aa_create_aafs(void)
 	AA_ERROR("Error creating AppArmor securityfs\n");
 	return error;
 }
-
-fs_initcall(aa_create_aafs);
diff --git a/security/apparmor/crypto.c b/security/apparmor/crypto.c
@@ -53,10 +53,9 @@ int aa_calc_profile_hash(struct aa_profile *profile, u32 version, void *start,
 	return 0;
 }
 
-static int __init init_profile_hash(void)
+int __init init_profile_hash(void)
 {
 	if (apparmor_initialized)
 		aa_info_message("AppArmor sha256 policy hashing enabled");
 	return 0;
 }
-late_initcall(init_profile_hash);
diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h
@@ -104,6 +104,8 @@ enum aafs_prof_type {
 #define prof_dir(X) ((X)->dents[AAFS_PROF_DIR])
 #define prof_child_dir(X) ((X)->dents[AAFS_PROF_PROFS])
 
+int aa_create_aafs(void);
+
 void __aa_bump_ns_revision(struct aa_ns *ns);
 void __aafs_profile_rmdir(struct aa_profile *profile);
 void __aafs_profile_migrate_dents(struct aa_profile *old,
diff --git a/security/apparmor/include/crypto.h b/security/apparmor/include/crypto.h
@@ -13,6 +13,7 @@
 #include "policy.h"
 
 #ifdef CONFIG_SECURITY_APPARMOR_HASH
+int init_profile_hash(void);
 unsigned int aa_hash_size(void);
 char *aa_calc_hash(void *data, size_t len);
 int aa_calc_profile_hash(struct aa_profile *profile, u32 version, void *start,
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
@@ -32,6 +32,7 @@
 #include "include/audit.h"
 #include "include/capability.h"
 #include "include/cred.h"
+#include "include/crypto.h"
 #include "include/file.h"
 #include "include/ipc.h"
 #include "include/net.h"
@@ -2426,7 +2427,6 @@ static int __init apparmor_nf_ip_init(void)
 
 	return 0;
 }
-__initcall(apparmor_nf_ip_init);
 #endif
 
 static char nulldfa_src[] __aligned(8) = {
@@ -2560,4 +2560,11 @@ DEFINE_LSM(apparmor) = {
 	.enabled = &apparmor_enabled,
 	.blobs = &apparmor_blob_sizes,
 	.init = apparmor_init,
+	.initcall_fs = aa_create_aafs,
+#if defined(CONFIG_NETFILTER) && defined(CONFIG_NETWORK_SECMARK)
+	.initcall_device = apparmor_nf_ip_init,
+#endif
+#ifdef CONFIG_SECURITY_APPARMOR_HASH
+	.initcall_late = init_profile_hash,
+#endif
 };

Original file line number	Diff line number	Diff line change
`@@ -2649,7 +2649,7 @@ static const struct inode_operations policy_link_iops = {`
`2649`	`2649`	`*`
`2650`	`2650`	`* Returns: error on failure`
`2651`	`2651`	`*/`
`2652`		`-static int __init aa_create_aafs(void)`
	`2652`	`+int __init aa_create_aafs(void)`
`2653`	`2653`	`{`
`2654`	`2654`	`struct dentry *dent;`
`2655`	`2655`	`int error;`
`@@ -2728,5 +2728,3 @@ static int __init aa_create_aafs(void)`
`2728`	`2728`	`AA_ERROR("Error creating AppArmor securityfs\n");`
`2729`	`2729`	`return error;`
`2730`	`2730`	`}`
`2731`		`-`
`2732`		`-fs_initcall(aa_create_aafs);`
Original file line number	Diff line number	Diff line change
`@@ -53,10 +53,9 @@ int aa_calc_profile_hash(struct aa_profile profile, u32 version, void start,`
`53`	`53`	`return 0;`
`54`	`54`	`}`
`55`	`55`
`56`		`-static int __init init_profile_hash(void)`
	`56`	`+int __init init_profile_hash(void)`
`57`	`57`	`{`
`58`	`58`	`if (apparmor_initialized)`
`59`	`59`	`aa_info_message("AppArmor sha256 policy hashing enabled");`
`60`	`60`	`return 0;`
`61`	`61`	`}`
`62`		`-late_initcall(init_profile_hash);`