Restrict the secmark_refcount_dec and secmark_refcount_inc interfaces to a single module. The secmark is too small to share, and this allows the modules a way to detect if the secmark is theirs to use. Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx> --- security/security.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/security/security.c b/security/security.c index e9f579483d12..0467f194d87d 100644 --- a/security/security.c +++ b/security/security.c @@ -2564,13 +2564,25 @@ EXPORT_SYMBOL(security_secmark_relabel_packet); void security_secmark_refcount_inc(void) { - call_void_hook(secmark_refcount_inc); + struct security_hook_list *hp; + + hlist_for_each_entry(hp, &security_hook_heads.secmark_refcount_inc, + list) { + hp->hook.secmark_refcount_inc(); + break; + } } EXPORT_SYMBOL(security_secmark_refcount_inc); void security_secmark_refcount_dec(void) { - call_void_hook(secmark_refcount_dec); + struct security_hook_list *hp; + + hlist_for_each_entry(hp, &security_hook_heads.secmark_refcount_dec, + list) { + hp->hook.secmark_refcount_dec(); + break; + } } EXPORT_SYMBOL(security_secmark_refcount_dec); -- 2.20.1