Hi, On 2023/8/4 10:25, Paul Moore wrote: > On Mon, Jul 31, 2023 at 9:39 PM Xiu Jianfeng <xiujianfeng@xxxxxxxxxx> wrote: >> >> After commit f22f9aaf6c3d ("selinux: remove the runtime disable >> functionality"), the order in selinux_hooks[] does not affect >> any selinux function, so remove the comments. >> >> Signed-off-by: Xiu Jianfeng <xiujianfeng@xxxxxxxxxx> >> --- >> security/selinux/hooks.c | 21 --------------------- >> 1 file changed, 21 deletions(-) >> >> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c >> index 2906fdaf7371..ef813970cb9c 100644 >> --- a/security/selinux/hooks.c >> +++ b/security/selinux/hooks.c >> @@ -6951,21 +6951,6 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd) >> } >> #endif /* CONFIG_IO_URING */ >> >> -/* >> - * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order: >> - * 1. any hooks that don't belong to (2.) or (3.) below, >> - * 2. hooks that both access structures allocated by other hooks, and allocate >> - * structures that can be later accessed by other hooks (mostly "cloning" >> - * hooks), >> - * 3. hooks that only allocate structures that can be later accessed by other >> - * hooks ("allocating" hooks). >> - * >> - * Please follow block comment delimiters in the list to keep this order. >> - * >> - * This ordering is needed for SELinux runtime disable to work at least somewhat >> - * safely. Breaking the ordering rules above might lead to NULL pointer derefs >> - * when disabling SELinux at runtime. >> - */ > > I don't mind the hook ordering message, even if it is not strictly > necessary anymore, so let's keep it for now. However, if you wanted > to remove that last paragraph about it being needed to support the > runtime disable functionality that would be okay. Thanks, I will send another one. > >> static struct security_hook_list selinux_hooks[] __ro_after_init = { >> LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), >> LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), >> @@ -7201,9 +7186,6 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { >> LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd), >> #endif >> >> - /* >> - * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE >> - */ >> LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup), >> LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param), >> LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), >> @@ -7211,9 +7193,6 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { >> LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), >> #endif >> >> - /* >> - * PUT "ALLOCATING" HOOKS HERE >> - */ >> LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), >> LSM_HOOK_INIT(msg_queue_alloc_security, >> selinux_msg_queue_alloc_security), >> -- >> 2.34.1 >