1. 基本原理
LSM是内核安全模块的一套框架,本质是插桩法。它的主要有两个特点:
- 1、在内核安全相关的关键路径上插入了Hook点:
内核安全相关的关键对象有:task_struct(任务和进程)、linux_binprm(程序)、super_block(文件系统)、inode(管道、文件或者 socket套接字)、file
(打开的文件)、sk_buff(网络缓冲区)、net_device(网络设备)、ker_ipc_perm(Semaphore消息,共享内存段,消息队列)、msg_msg(单个消息)。
如上图,对这些对象的系统调用操作就是关键路径。LSM在这些关键路径上,使用静态插桩法,插入了一批预置的Hook点。
- 2、LSM的Hook点用途:
如上图,系统调用路径上对安全方面的检查分为多个阶段:
1、先通过原有的内部接口进行功能性的错误检查。
2、然后再进行自主访问控制DAC检查。
3、调用LSM的Hook函数。
其中自主访问控制(Discretionary Access Control,DAC)是 指对某个客体具有拥有权(或控制权)的主体能够将对该客体的一种或多种访问权自主地授予其它主体,并在随后的任何时刻将这些权限回收。这种控制是自主的, 也就是指具有授予某种访问权力的主体(用户)/能够自己决定/是否将访问控制权限的某个子集授予其他的主体/或从其他主体那里收回他所授予的访问权限。
即传统的Linux UID/GID机制,Linux通过用户、进程、文件的UID/GID来进行权限管理的。Linux将文件的权限划分为读、写和执行三种,分别用字母r、w和x表示。每一个文件有三组读、写和执行权限,分别是针对文件的所有者(u)、文件所有者所属的组(g)以及除前两种之外的其它用户(o)。这样,如果一个用户想要将一个自己创建的文件交给另外一个用户访问,那么只需要相应地设置一下这个文件的其它用户权限位就可以了。文件的权限控制在所有者手中。
与之对应的是强制访问控制(Mandatory access control,MAC),也是一种由操作系统约束的访问控制,目标是限制主体或发起者访问 或 对对象/目标执行某种操作的 能力。主体通常是一个进程或线程,对象可能是文件、目录、TCP/UDP端口、共享内存段、I/O设备等。每当主体尝试访问对象时,都会由操作系统内核强 制执行授权规则–检查安全属性并决定是否可进行访问。同样,任何主体对任何对象的任何操作都将根据一组授权规则(策略)进行测试,决定操作是否被允许。
也就是在MAC下,用户不能覆盖或修改策略,策略由安全管理员集中控制。相比而言,DAC也具有控制主体访问对象的能力,但允许用户进行策略决策/分配安全属性。最近的MAC实现有诸如面向Linux的SELinux和AppArmor,以及面向Windows的强制完整性控制。
LSM框架就一般用来做MAC控制,常见的有SELinux/AppArmor。
2. 实现
2.1 插桩原理
在安全相关的关键系统调用中都显式的插入了静态插桩点。例如在open()系统调用中调用了security_file_open():
vfs_open() -> do_dentry_open():
do_dentry_open()
{
/* (1) LSM框架关于open()的hook函数 */
error = security_file_open(f, cred);
if (error)
goto cleanup_all;
}
security_file_open()就是一个LSM的桩函数(hook),它只是是一个框架,它在被调用时会逐个调用对应链表上的所有函数。
security\security.c:
int security_file_open(struct file *file, const struct cred *cred)
{
int ret;
/* (1.1) 逐个调用链表上的所有处理函数 */
ret = call_int_hook(file_open, 0, file, cred);
if (ret)
return ret;
return fsnotify_perm(file, MAY_OPEN);
}
↓
#define call_int_hook(FUNC, IRC, ...) ({ \
int RC = IRC; \
do { \
struct security_hook_list *P; \
\
/* (1.1.1) open()操作对应的链表为security_hook_heads.file_open */
list_for_each_entry(P, &security_hook_heads.FUNC, list) { \
/* (1.1.2)节点的P->hook.FUNC为函数指针 */
RC = P->hook.FUNC(__VA_ARGS__); \
if (RC != 0) \
break; \
} \
} while (0); \
RC; \
})
通过这种机制,安全模块可以向LSM框架注册自己的处理函数。
2.2 新回调的注册
例如selinux可以向open()操作的security_hook_heads.file_open链表注册自己的处理函数。
- 1、定义:
security\selinux\hooks.c:
static struct security_hook_list selinux_hooks[] = {
...
LSM_HOOK_INIT(file_open, selinux_file_open),
...
}
#define LSM_HOOK_INIT(HEAD, HOOK) \
{ .head = &security_hook_heads.HEAD, .hook = { .HEAD = HOOK } }
上面的定义展开为
{ .head = &security_hook_heads.file_open, .hook = { .file_open = selinux_file_open } }
- 2、注册:
static __init int selinux_init(void)
{
security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
}
↓
static inline void security_add_hooks(struct security_hook_list *hooks,
int count)
{
int i;
/* (1) 将自定义的selinux_hooks[n]添加进LSM的全局链表security_hook_heads.file_open */
for (i = 0; i < count; i++)
list_add_tail_rcu(&hooks[i].list, hooks[i].head);
}
2.3 LSM路径全集
内核安全相关的关键对象有:task_struct(任务和进程)、linux_binprm(程序)、super_block(文件系统)、inode(管道、文件或者 socket套接字)、file
(打开的文件)、sk_buff(网络缓冲区)、net_device(网络设备)、ker_ipc_perm(Semaphore消息,共享内存段,消息队列)、msg_msg(单个消息)。
LSM对这些对象关键路径的插桩有以下操作:
struct security_hook_heads {
struct list_head binder_set_context_mgr;
struct list_head binder_transaction;
struct list_head binder_transfer_binder;
struct list_head binder_transfer_file;
struct list_head ptrace_access_check;
struct list_head ptrace_traceme;
struct list_head capget;
struct list_head capset;
struct list_head capable;
struct list_head quotactl;
struct list_head quota_on;
struct list_head syslog;
struct list_head settime;
struct list_head vm_enough_memory;
struct list_head bprm_set_creds;
struct list_head bprm_check_security;
struct list_head bprm_secureexec;
struct list_head bprm_committing_creds;
struct list_head bprm_committed_creds;
struct list_head sb_alloc_security;
struct list_head sb_free_security;
struct list_head sb_copy_data;
struct list_head sb_remount;
struct list_head sb_kern_mount;
struct list_head sb_show_options;
struct list_head sb_statfs;
struct list_head sb_mount;
struct list_head sb_umount;
struct list_head sb_pivotroot;
struct list_head sb_set_mnt_opts;
struct list_head sb_clone_mnt_opts;
struct list_head sb_parse_opts_str;
struct list_head dentry_init_security;
#ifdef CONFIG_SECURITY_PATH
struct list_head path_unlink;
struct list_head path_mkdir;
struct list_head path_rmdir;
struct list_head path_mknod;
struct list_head path_truncate;
struct list_head path_symlink;
struct list_head path_link;
struct list_head path_rename;
struct list_head path_chmod;
struct list_head path_chown;
struct list_head path_chroot;
#endif
struct list_head inode_alloc_security;
struct list_head inode_free_security;
struct list_head inode_init_security;
struct list_head inode_create;
struct list_head inode_link;
struct list_head inode_unlink;
struct list_head inode_symlink;
struct list_head inode_mkdir;
struct list_head inode_rmdir;
struct list_head inode_mknod;
struct list_head inode_rename;
struct list_head inode_readlink;
struct list_head inode_follow_link;
struct list_head inode_permission;
struct list_head inode_setattr;
struct list_head inode_getattr;
struct list_head inode_setxattr;
struct list_head inode_post_setxattr;
struct list_head inode_getxattr;
struct list_head inode_listxattr;
struct list_head inode_removexattr;
struct list_head inode_need_killpriv;
struct list_head inode_killpriv;
struct list_head inode_getsecurity;
struct list_head inode_setsecurity;
struct list_head inode_listsecurity;
struct list_head inode_getsecid;
struct list_head file_permission;
struct list_head file_alloc_security;
struct list_head file_free_security;
struct list_head file_ioctl;
struct list_head mmap_addr;
struct list_head mmap_file;
struct list_head file_mprotect;
struct list_head file_lock;
struct list_head file_fcntl;
struct list_head file_set_fowner;
struct list_head file_send_sigiotask;
struct list_head file_receive;
struct list_head file_open;
struct list_head task_create;
struct list_head task_free;
struct list_head cred_alloc_blank;
struct list_head cred_free;
struct list_head cred_prepare;
struct list_head cred_transfer;
struct list_head kernel_act_as;
struct list_head kernel_create_files_as;
struct list_head kernel_fw_from_file;
struct list_head kernel_module_request;
struct list_head kernel_module_from_file;
struct list_head task_fix_setuid;
struct list_head task_setpgid;
struct list_head task_getpgid;
struct list_head task_getsid;
struct list_head task_getsecid;
struct list_head task_setnice;
struct list_head task_setioprio;
struct list_head task_getioprio;
struct list_head task_setrlimit;
struct list_head task_setscheduler;
struct list_head task_getscheduler;
struct list_head task_movememory;
struct list_head task_kill;
struct list_head task_wait;
struct list_head task_prctl;
struct list_head task_to_inode;
struct list_head ipc_permission;
struct list_head ipc_getsecid;
struct list_head msg_msg_alloc_security;
struct list_head msg_msg_free_security;
struct list_head msg_queue_alloc_security;
struct list_head msg_queue_free_security;
struct list_head msg_queue_associate;
struct list_head msg_queue_msgctl;
struct list_head msg_queue_msgsnd;
struct list_head msg_queue_msgrcv;
struct list_head shm_alloc_security;
struct list_head shm_free_security;
struct list_head shm_associate;
struct list_head shm_shmctl;
struct list_head shm_shmat;
struct list_head sem_alloc_security;
struct list_head sem_free_security;
struct list_head sem_associate;
struct list_head sem_semctl;
struct list_head sem_semop;
struct list_head netlink_send;
struct list_head d_instantiate;
struct list_head getprocattr;
struct list_head setprocattr;
struct list_head ismaclabel;
struct list_head secid_to_secctx;
struct list_head secctx_to_secid;
struct list_head release_secctx;
struct list_head inode_notifysecctx;
struct list_head inode_setsecctx;
struct list_head inode_getsecctx;
#ifdef CONFIG_SECURITY_NETWORK
struct list_head unix_stream_connect;
struct list_head unix_may_send;
struct list_head socket_create;
struct list_head socket_post_create;
struct list_head socket_bind;
struct list_head socket_connect;
struct list_head socket_listen;
struct list_head socket_accept;
struct list_head socket_sendmsg;
struct list_head socket_recvmsg;
struct list_head socket_getsockname;
struct list_head socket_getpeername;
struct list_head socket_getsockopt;
struct list_head socket_setsockopt;
struct list_head socket_shutdown;
struct list_head socket_sock_rcv_skb;
struct list_head socket_getpeersec_stream;
struct list_head socket_getpeersec_dgram;
struct list_head sk_alloc_security;
struct list_head sk_free_security;
struct list_head sk_clone_security;
struct list_head sk_getsecid;
struct list_head sock_graft;
struct list_head inet_conn_request;
struct list_head inet_csk_clone;
struct list_head inet_conn_established;
struct list_head secmark_relabel_packet;
struct list_head secmark_refcount_inc;
struct list_head secmark_refcount_dec;
struct list_head req_classify_flow;
struct list_head tun_dev_alloc_security;
struct list_head tun_dev_free_security;
struct list_head tun_dev_create;
struct list_head tun_dev_attach_queue;
struct list_head tun_dev_attach;
struct list_head tun_dev_open;
struct list_head skb_owned_by;
#endif /* CONFIG_SECURITY_NETWORK */
#ifdef CONFIG_SECURITY_NETWORK_XFRM
struct list_head xfrm_policy_alloc_security;
struct list_head xfrm_policy_clone_security;
struct list_head xfrm_policy_free_security;
struct list_head xfrm_policy_delete_security;
struct list_head xfrm_state_alloc;
struct list_head xfrm_state_alloc_acquire;
struct list_head xfrm_state_free_security;
struct list_head xfrm_state_delete_security;
struct list_head xfrm_policy_lookup;
struct list_head xfrm_state_pol_flow_match;
struct list_head xfrm_decode_session;
#endif /* CONFIG_SECURITY_NETWORK_XFRM */
#ifdef CONFIG_KEYS
struct list_head key_alloc;
struct list_head key_free;
struct list_head key_permission;
struct list_head key_getsecurity;
#endif /* CONFIG_KEYS */
#ifdef CONFIG_AUDIT
struct list_head audit_rule_init;
struct list_head audit_rule_known;
struct list_head audit_rule_match;
struct list_head audit_rule_free;
#endif /* CONFIG_AUDIT */
}
对应selinux的全集定义:
static struct security_hook_list selinux_hooks[] = {
LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
LSM_HOOK_INIT(capget, selinux_capget),
LSM_HOOK_INIT(capset, selinux_capset),
LSM_HOOK_INIT(capable, selinux_capable),
LSM_HOOK_INIT(quotactl, selinux_quotactl),
LSM_HOOK_INIT(quota_on, selinux_quota_on),
LSM_HOOK_INIT(syslog, selinux_syslog),
LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
LSM_HOOK_INIT(sb_mount, selinux_mount),
LSM_HOOK_INIT(sb_umount, selinux_umount),
LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
LSM_HOOK_INIT(inode_create, selinux_inode_create),
LSM_HOOK_INIT(inode_link, selinux_inode_link),
LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
LSM_HOOK_INIT(file_permission, selinux_file_permission),
LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
LSM_HOOK_INIT(file_lock, selinux_file_lock),
LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
LSM_HOOK_INIT(file_receive, selinux_file_receive),
LSM_HOOK_INIT(file_open, selinux_file_open),
LSM_HOOK_INIT(task_create, selinux_task_create),
LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
LSM_HOOK_INIT(cred_free, selinux_cred_free),
LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
LSM_HOOK_INIT(task_kill, selinux_task_kill),
LSM_HOOK_INIT(task_wait, selinux_task_wait),
LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
LSM_HOOK_INIT(msg_queue_alloc_security,
selinux_msg_queue_alloc_security),
LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
LSM_HOOK_INIT(socket_create, selinux_socket_create),
LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
LSM_HOOK_INIT(socket_getpeersec_stream,
selinux_socket_getpeersec_stream),
LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
#ifdef CONFIG_SECURITY_NETWORK_XFRM
LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
LSM_HOOK_INIT(xfrm_state_alloc_acquire,
selinux_xfrm_state_alloc_acquire),
LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
LSM_HOOK_INIT(xfrm_state_pol_flow_match,
selinux_xfrm_state_pol_flow_match),
LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
#endif
#ifdef CONFIG_KEYS
LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
LSM_HOOK_INIT(key_free, selinux_key_free),
LSM_HOOK_INIT(key_permission, selinux_key_permission),
LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
#endif
#ifdef CONFIG_AUDIT
LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
#endif
};