On Mon, Jul 31, 2023 at 9:39 PM Xiu Jianfeng <xiujianfeng@xxxxxxxxxx> wrote:
>
> After commit f22f9aaf6c3d ("selinux: remove the runtime disable
> functionality"), the order in selinux_hooks[] does not affect
> any selinux function, so remove the comments.
>
> Signed-off-by: Xiu Jianfeng <xiujianfeng@xxxxxxxxxx>
> ---
> security/selinux/hooks.c | 21 ---------------------
> 1 file changed, 21 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 2906fdaf7371..ef813970cb9c 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -6951,21 +6951,6 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
> }
> #endif /* CONFIG_IO_URING */
>
> -/*
> - * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
> - * 1. any hooks that don't belong to (2.) or (3.) below,
> - * 2. hooks that both access structures allocated by other hooks, and allocate
> - * structures that can be later accessed by other hooks (mostly "cloning"
> - * hooks),
> - * 3. hooks that only allocate structures that can be later accessed by other
> - * hooks ("allocating" hooks).
> - *
> - * Please follow block comment delimiters in the list to keep this order.
> - *
> - * This ordering is needed for SELinux runtime disable to work at least somewhat
> - * safely. Breaking the ordering rules above might lead to NULL pointer derefs
> - * when disabling SELinux at runtime.
> - */
I don't mind the hook ordering message, even if it is not strictly
necessary anymore, so let's keep it for now. However, if you wanted
to remove that last paragraph about it being needed to support the
runtime disable functionality that would be okay.
> static struct security_hook_list selinux_hooks[] __ro_after_init = {
> LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
> LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
> @@ -7201,9 +7186,6 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
> LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd),
> #endif
>
> - /*
> - * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
> - */
> LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
> LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
> LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
> @@ -7211,9 +7193,6 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
> LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
> #endif
>
> - /*
> - * PUT "ALLOCATING" HOOKS HERE
> - */
> LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
> LSM_HOOK_INIT(msg_queue_alloc_security,
> selinux_msg_queue_alloc_security),
> --
> 2.34.1
--
paul-moore.com
