1. 基本原理
LSM是內核安全模塊的一套框架,本質是插樁法。它的主要有兩個特點:
- 1、在內核安全相關的關鍵路徑上插入了Hook點:
內核安全相關的關鍵對象有:task_struct(任務和進程)、linux_binprm(程序)、super_block(文件系統)、inode(管道、文件或者 socket套接字)、file
(打開的文件)、sk_buff(網絡緩衝區)、net_device(網絡設備)、ker_ipc_perm(Semaphore消息,共享內存段,消息隊列)、msg_msg(單個消息)。
如上圖,對這些對象的系統調用操作就是關鍵路徑。LSM在這些關鍵路徑上,使用靜態插樁法,插入了一批預置的Hook點。
- 2、LSM的Hook點用途:
如上圖,系統調用路徑上對安全方面的檢查分爲多個階段:
1、先通過原有的內部接口進行功能性的錯誤檢查。
2、然後再進行自主訪問控制DAC檢查。
3、調用LSM的Hook函數。
其中自主訪問控制(Discretionary Access Control,DAC)
是 指對某個客體具有擁有權(或控制權)的主體能夠將對該客體的一種或多種訪問權自主地授予其它主體,並在隨後的任何時刻將這些權限回收。這種控制是自主的, 也就是指具有授予某種訪問權力的主體(用戶)/能夠自己決定/是否將訪問控制權限的某個子集授予其他的主體/或從其他主體那裏收回他所授予的訪問權限。
即傳統的Linux UID/GID機制,Linux通過用戶、進程、文件的UID/GID來進行權限管理的。Linux將文件的權限劃分爲讀、寫和執行三種,分別用字母r、w和x表示。每一個文件有三組讀、寫和執行權限,分別是針對文件的所有者
(u)、文件所有者所屬的組
(g)以及除前兩種之外的其它用戶
(o)。這樣,如果一個用戶想要將一個自己創建的文件交給另外一個用戶訪問,那麼只需要相應地設置一下這個文件的其它用戶權限位就可以了。文件的權限控制在所有者手中。
與之對應的是強制訪問控制(Mandatory access control,MAC)
,也是一種由操作系統約束的訪問控制,目標是限制主體或發起者訪問 或 對對象/目標執行某種操作的 能力。主體
通常是一個進程或線程,對象
可能是文件、目錄、TCP/UDP端口、共享內存段、I/O設備等。每當主體嘗試訪問
對象時,都會由操作系統內核強 制執行授權規則–檢查安全屬性並決定是否可進行訪問。同樣,任何主體對任何對象的任何操作都將根據一組授權規則(策略)進行測試,決定操作是否被允許。
也就是在MAC下,用戶不能覆蓋或修改策略,策略由安全管理員集中控制。相比而言,DAC也具有控制主體訪問對象的能力,但允許用戶進行策略決策/分配安全屬性。最近的MAC實現有諸如面向Linux的SELinux和AppArmor,以及面向Windows的強制完整性控制。
LSM框架就一般用來做MAC控制,常見的有SELinux/AppArmor。
2. 實現
2.1 插樁原理
在安全相關的關鍵系統調用中都顯式的插入了靜態插樁點。例如在open()系統調用中調用了security_file_open():
vfs_open() -> do_dentry_open():
do_dentry_open()
{
/* (1) LSM框架關於open()的hook函數 */
error = security_file_open(f, cred);
if (error)
goto cleanup_all;
}
security_file_open()就是一個LSM的樁函數(hook),它只是是一個框架,它在被調用時會逐個調用對應鏈表上的所有函數。
security\security.c:
int security_file_open(struct file *file, const struct cred *cred)
{
int ret;
/* (1.1) 逐個調用鏈表上的所有處理函數 */
ret = call_int_hook(file_open, 0, file, cred);
if (ret)
return ret;
return fsnotify_perm(file, MAY_OPEN);
}
↓
#define call_int_hook(FUNC, IRC, ...) ({ \
int RC = IRC; \
do { \
struct security_hook_list *P; \
\
/* (1.1.1) open()操作對應的鏈表爲security_hook_heads.file_open */
list_for_each_entry(P, &security_hook_heads.FUNC, list) { \
/* (1.1.2)節點的P->hook.FUNC爲函數指針 */
RC = P->hook.FUNC(__VA_ARGS__); \
if (RC != 0) \
break; \
} \
} while (0); \
RC; \
})
通過這種機制,安全模塊可以向LSM框架註冊自己的處理函數。
2.2 新回調的註冊
例如selinux可以向open()操作的security_hook_heads.file_open鏈表註冊自己的處理函數。
- 1、定義:
security\selinux\hooks.c:
static struct security_hook_list selinux_hooks[] = {
...
LSM_HOOK_INIT(file_open, selinux_file_open),
...
}
#define LSM_HOOK_INIT(HEAD, HOOK) \
{ .head = &security_hook_heads.HEAD, .hook = { .HEAD = HOOK } }
上面的定義展開爲
{ .head = &security_hook_heads.file_open, .hook = { .file_open = selinux_file_open } }
- 2、註冊:
static __init int selinux_init(void)
{
security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
}
↓
static inline void security_add_hooks(struct security_hook_list *hooks,
int count)
{
int i;
/* (1) 將自定義的selinux_hooks[n]添加進LSM的全局鏈表security_hook_heads.file_open */
for (i = 0; i < count; i++)
list_add_tail_rcu(&hooks[i].list, hooks[i].head);
}
2.3 LSM路徑全集
內核安全相關的關鍵對象有:task_struct(任務和進程)、linux_binprm(程序)、super_block(文件系統)、inode(管道、文件或者 socket套接字)、file
(打開的文件)、sk_buff(網絡緩衝區)、net_device(網絡設備)、ker_ipc_perm(Semaphore消息,共享內存段,消息隊列)、msg_msg(單個消息)。
LSM對這些對象關鍵路徑的插樁有以下操作:
struct security_hook_heads {
struct list_head binder_set_context_mgr;
struct list_head binder_transaction;
struct list_head binder_transfer_binder;
struct list_head binder_transfer_file;
struct list_head ptrace_access_check;
struct list_head ptrace_traceme;
struct list_head capget;
struct list_head capset;
struct list_head capable;
struct list_head quotactl;
struct list_head quota_on;
struct list_head syslog;
struct list_head settime;
struct list_head vm_enough_memory;
struct list_head bprm_set_creds;
struct list_head bprm_check_security;
struct list_head bprm_secureexec;
struct list_head bprm_committing_creds;
struct list_head bprm_committed_creds;
struct list_head sb_alloc_security;
struct list_head sb_free_security;
struct list_head sb_copy_data;
struct list_head sb_remount;
struct list_head sb_kern_mount;
struct list_head sb_show_options;
struct list_head sb_statfs;
struct list_head sb_mount;
struct list_head sb_umount;
struct list_head sb_pivotroot;
struct list_head sb_set_mnt_opts;
struct list_head sb_clone_mnt_opts;
struct list_head sb_parse_opts_str;
struct list_head dentry_init_security;
#ifdef CONFIG_SECURITY_PATH
struct list_head path_unlink;
struct list_head path_mkdir;
struct list_head path_rmdir;
struct list_head path_mknod;
struct list_head path_truncate;
struct list_head path_symlink;
struct list_head path_link;
struct list_head path_rename;
struct list_head path_chmod;
struct list_head path_chown;
struct list_head path_chroot;
#endif
struct list_head inode_alloc_security;
struct list_head inode_free_security;
struct list_head inode_init_security;
struct list_head inode_create;
struct list_head inode_link;
struct list_head inode_unlink;
struct list_head inode_symlink;
struct list_head inode_mkdir;
struct list_head inode_rmdir;
struct list_head inode_mknod;
struct list_head inode_rename;
struct list_head inode_readlink;
struct list_head inode_follow_link;
struct list_head inode_permission;
struct list_head inode_setattr;
struct list_head inode_getattr;
struct list_head inode_setxattr;
struct list_head inode_post_setxattr;
struct list_head inode_getxattr;
struct list_head inode_listxattr;
struct list_head inode_removexattr;
struct list_head inode_need_killpriv;
struct list_head inode_killpriv;
struct list_head inode_getsecurity;
struct list_head inode_setsecurity;
struct list_head inode_listsecurity;
struct list_head inode_getsecid;
struct list_head file_permission;
struct list_head file_alloc_security;
struct list_head file_free_security;
struct list_head file_ioctl;
struct list_head mmap_addr;
struct list_head mmap_file;
struct list_head file_mprotect;
struct list_head file_lock;
struct list_head file_fcntl;
struct list_head file_set_fowner;
struct list_head file_send_sigiotask;
struct list_head file_receive;
struct list_head file_open;
struct list_head task_create;
struct list_head task_free;
struct list_head cred_alloc_blank;
struct list_head cred_free;
struct list_head cred_prepare;
struct list_head cred_transfer;
struct list_head kernel_act_as;
struct list_head kernel_create_files_as;
struct list_head kernel_fw_from_file;
struct list_head kernel_module_request;
struct list_head kernel_module_from_file;
struct list_head task_fix_setuid;
struct list_head task_setpgid;
struct list_head task_getpgid;
struct list_head task_getsid;
struct list_head task_getsecid;
struct list_head task_setnice;
struct list_head task_setioprio;
struct list_head task_getioprio;
struct list_head task_setrlimit;
struct list_head task_setscheduler;
struct list_head task_getscheduler;
struct list_head task_movememory;
struct list_head task_kill;
struct list_head task_wait;
struct list_head task_prctl;
struct list_head task_to_inode;
struct list_head ipc_permission;
struct list_head ipc_getsecid;
struct list_head msg_msg_alloc_security;
struct list_head msg_msg_free_security;
struct list_head msg_queue_alloc_security;
struct list_head msg_queue_free_security;
struct list_head msg_queue_associate;
struct list_head msg_queue_msgctl;
struct list_head msg_queue_msgsnd;
struct list_head msg_queue_msgrcv;
struct list_head shm_alloc_security;
struct list_head shm_free_security;
struct list_head shm_associate;
struct list_head shm_shmctl;
struct list_head shm_shmat;
struct list_head sem_alloc_security;
struct list_head sem_free_security;
struct list_head sem_associate;
struct list_head sem_semctl;
struct list_head sem_semop;
struct list_head netlink_send;
struct list_head d_instantiate;
struct list_head getprocattr;
struct list_head setprocattr;
struct list_head ismaclabel;
struct list_head secid_to_secctx;
struct list_head secctx_to_secid;
struct list_head release_secctx;
struct list_head inode_notifysecctx;
struct list_head inode_setsecctx;
struct list_head inode_getsecctx;
#ifdef CONFIG_SECURITY_NETWORK
struct list_head unix_stream_connect;
struct list_head unix_may_send;
struct list_head socket_create;
struct list_head socket_post_create;
struct list_head socket_bind;
struct list_head socket_connect;
struct list_head socket_listen;
struct list_head socket_accept;
struct list_head socket_sendmsg;
struct list_head socket_recvmsg;
struct list_head socket_getsockname;
struct list_head socket_getpeername;
struct list_head socket_getsockopt;
struct list_head socket_setsockopt;
struct list_head socket_shutdown;
struct list_head socket_sock_rcv_skb;
struct list_head socket_getpeersec_stream;
struct list_head socket_getpeersec_dgram;
struct list_head sk_alloc_security;
struct list_head sk_free_security;
struct list_head sk_clone_security;
struct list_head sk_getsecid;
struct list_head sock_graft;
struct list_head inet_conn_request;
struct list_head inet_csk_clone;
struct list_head inet_conn_established;
struct list_head secmark_relabel_packet;
struct list_head secmark_refcount_inc;
struct list_head secmark_refcount_dec;
struct list_head req_classify_flow;
struct list_head tun_dev_alloc_security;
struct list_head tun_dev_free_security;
struct list_head tun_dev_create;
struct list_head tun_dev_attach_queue;
struct list_head tun_dev_attach;
struct list_head tun_dev_open;
struct list_head skb_owned_by;
#endif /* CONFIG_SECURITY_NETWORK */
#ifdef CONFIG_SECURITY_NETWORK_XFRM
struct list_head xfrm_policy_alloc_security;
struct list_head xfrm_policy_clone_security;
struct list_head xfrm_policy_free_security;
struct list_head xfrm_policy_delete_security;
struct list_head xfrm_state_alloc;
struct list_head xfrm_state_alloc_acquire;
struct list_head xfrm_state_free_security;
struct list_head xfrm_state_delete_security;
struct list_head xfrm_policy_lookup;
struct list_head xfrm_state_pol_flow_match;
struct list_head xfrm_decode_session;
#endif /* CONFIG_SECURITY_NETWORK_XFRM */
#ifdef CONFIG_KEYS
struct list_head key_alloc;
struct list_head key_free;
struct list_head key_permission;
struct list_head key_getsecurity;
#endif /* CONFIG_KEYS */
#ifdef CONFIG_AUDIT
struct list_head audit_rule_init;
struct list_head audit_rule_known;
struct list_head audit_rule_match;
struct list_head audit_rule_free;
#endif /* CONFIG_AUDIT */
}
對應selinux的全集定義:
static struct security_hook_list selinux_hooks[] = {
LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
LSM_HOOK_INIT(capget, selinux_capget),
LSM_HOOK_INIT(capset, selinux_capset),
LSM_HOOK_INIT(capable, selinux_capable),
LSM_HOOK_INIT(quotactl, selinux_quotactl),
LSM_HOOK_INIT(quota_on, selinux_quota_on),
LSM_HOOK_INIT(syslog, selinux_syslog),
LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
LSM_HOOK_INIT(sb_mount, selinux_mount),
LSM_HOOK_INIT(sb_umount, selinux_umount),
LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
LSM_HOOK_INIT(inode_create, selinux_inode_create),
LSM_HOOK_INIT(inode_link, selinux_inode_link),
LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
LSM_HOOK_INIT(file_permission, selinux_file_permission),
LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
LSM_HOOK_INIT(file_lock, selinux_file_lock),
LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
LSM_HOOK_INIT(file_receive, selinux_file_receive),
LSM_HOOK_INIT(file_open, selinux_file_open),
LSM_HOOK_INIT(task_create, selinux_task_create),
LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
LSM_HOOK_INIT(cred_free, selinux_cred_free),
LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
LSM_HOOK_INIT(task_kill, selinux_task_kill),
LSM_HOOK_INIT(task_wait, selinux_task_wait),
LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
LSM_HOOK_INIT(msg_queue_alloc_security,
selinux_msg_queue_alloc_security),
LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
LSM_HOOK_INIT(socket_create, selinux_socket_create),
LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
LSM_HOOK_INIT(socket_getpeersec_stream,
selinux_socket_getpeersec_stream),
LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
#ifdef CONFIG_SECURITY_NETWORK_XFRM
LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
LSM_HOOK_INIT(xfrm_state_alloc_acquire,
selinux_xfrm_state_alloc_acquire),
LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
LSM_HOOK_INIT(xfrm_state_pol_flow_match,
selinux_xfrm_state_pol_flow_match),
LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
#endif
#ifdef CONFIG_KEYS
LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
LSM_HOOK_INIT(key_free, selinux_key_free),
LSM_HOOK_INIT(key_permission, selinux_key_permission),
LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
#endif
#ifdef CONFIG_AUDIT
LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
#endif
};