LSM是内核安全模块的一套框架,本质是插桩法。它的主要有两个特点:
1、在内核安全相关的关键路径上插入了Hook点:内核安全相关的关键对象有:task_struct(任务和进程)、linux_binprm(程序)、super_block(文件系统)、inode(管道、文件或者 socket套接字)、file (打开的文件)、sk_buff(网络缓冲区)、net_device(网络设备)、ker_ipc_perm(Semaphore消息,共享内存段,消息队列)、msg_msg(单个消息)。
如上图,对这些对象的系统调用操作就是关键路径。LSM在这些关键路径上,使用静态插桩法,插入了一批预置的Hook点。
2、LSM的Hook点用途:如上图,系统调用路径上对安全方面的检查分为多个阶段:
1、先通过原有的内部接口进行功能性的错误检查。 2、然后再进行自主访问控制DAC检查。 3、调用LSM的Hook函数。其中自主访问控制(Discretionary Access Control,DAC)是 指对某个客体具有拥有权(或控制权)的主体能够将对该客体的一种或多种访问权自主地授予其它主体,并在随后的任何时刻将这些权限回收。这种控制是自主的, 也就是指具有授予某种访问权力的主体(用户)/能够自己决定/是否将访问控制权限的某个子集授予其他的主体/或从其他主体那里收回他所授予的访问权限。 即传统的Linux UID/GID机制,Linux通过用户、进程、文件的UID/GID来进行权限管理的。Linux将文件的权限划分为读、写和执行三种,分别用字母r、w和x表示。每一个文件有三组读、写和执行权限,分别是针对文件的所有者(u)、文件所有者所属的组(g)以及除前两种之外的其它用户(o)。这样,如果一个用户想要将一个自己创建的文件交给另外一个用户访问,那么只需要相应地设置一下这个文件的其它用户权限位就可以了。文件的权限控制在所有者手中。
与之对应的是强制访问控制(Mandatory access control,MAC),也是一种由操作系统约束的访问控制,目标是限制主体或发起者访问 或 对对象/目标执行某种操作的 能力。主体通常是一个进程或线程,对象可能是文件、目录、TCP/UDP端口、共享内存段、I/O设备等。每当主体尝试访问对象时,都会由操作系统内核强 制执行授权规则–检查安全属性并决定是否可进行访问。同样,任何主体对任何对象的任何操作都将根据一组授权规则(策略)进行测试,决定操作是否被允许。 也就是在MAC下,用户不能覆盖或修改策略,策略由安全管理员集中控制。相比而言,DAC也具有控制主体访问对象的能力,但允许用户进行策略决策/分配安全属性。最近的MAC实现有诸如面向Linux的SELinux和AppArmor,以及面向Windows的强制完整性控制。
LSM框架就一般用来做MAC控制,常见的有SELinux/AppArmor。
在安全相关的关键系统调用中都显式的插入了静态插桩点。例如在open()系统调用中调用了security_file_open():
vfs_open() -> do_dentry_open(): do_dentry_open() { /* (1) LSM框架关于open()的hook函数 */ error = security_file_open(f, cred); if (error) goto cleanup_all; }security_file_open()就是一个LSM的桩函数(hook),它只是是一个框架,它在被调用时会逐个调用对应链表上的所有函数。
security\security.c: int security_file_open(struct file *file, const struct cred *cred) { int ret; /* (1.1) 逐个调用链表上的所有处理函数 */ ret = call_int_hook(file_open, 0, file, cred); if (ret) return ret; return fsnotify_perm(file, MAY_OPEN); } ↓ #define call_int_hook(FUNC, IRC, ...) ({ \ int RC = IRC; \ do { \ struct security_hook_list *P; \ \ /* (1.1.1) open()操作对应的链表为security_hook_heads.file_open */ list_for_each_entry(P, &security_hook_heads.FUNC, list) { \ /* (1.1.2)节点的P->hook.FUNC为函数指针 */ RC = P->hook.FUNC(__VA_ARGS__); \ if (RC != 0) \ break; \ } \ } while (0); \ RC; \ })通过这种机制,安全模块可以向LSM框架注册自己的处理函数。
例如selinux可以向open()操作的security_hook_heads.file_open链表注册自己的处理函数。
1、定义: security\selinux\hooks.c: static struct security_hook_list selinux_hooks[] = { ... LSM_HOOK_INIT(file_open, selinux_file_open), ... } #define LSM_HOOK_INIT(HEAD, HOOK) \ { .head = &security_hook_heads.HEAD, .hook = { .HEAD = HOOK } }上面的定义展开为
{ .head = &security_hook_heads.file_open, .hook = { .file_open = selinux_file_open } } 2、注册: static __init int selinux_init(void) { security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); } ↓ static inline void security_add_hooks(struct security_hook_list *hooks, int count) { int i; /* (1) 将自定义的selinux_hooks[n]添加进LSM的全局链表security_hook_heads.file_open */ for (i = 0; i < count; i++) list_add_tail_rcu(&hooks[i].list, hooks[i].head); }内核安全相关的关键对象有:task_struct(任务和进程)、linux_binprm(程序)、super_block(文件系统)、inode(管道、文件或者 socket套接字)、file (打开的文件)、sk_buff(网络缓冲区)、net_device(网络设备)、ker_ipc_perm(Semaphore消息,共享内存段,消息队列)、msg_msg(单个消息)。
LSM对这些对象关键路径的插桩有以下操作:
struct security_hook_heads { struct list_head binder_set_context_mgr; struct list_head binder_transaction; struct list_head binder_transfer_binder; struct list_head binder_transfer_file; struct list_head ptrace_access_check; struct list_head ptrace_traceme; struct list_head capget; struct list_head capset; struct list_head capable; struct list_head quotactl; struct list_head quota_on; struct list_head syslog; struct list_head settime; struct list_head vm_enough_memory; struct list_head bprm_set_creds; struct list_head bprm_check_security; struct list_head bprm_secureexec; struct list_head bprm_committing_creds; struct list_head bprm_committed_creds; struct list_head sb_alloc_security; struct list_head sb_free_security; struct list_head sb_copy_data; struct list_head sb_remount; struct list_head sb_kern_mount; struct list_head sb_show_options; struct list_head sb_statfs; struct list_head sb_mount; struct list_head sb_umount; struct list_head sb_pivotroot; struct list_head sb_set_mnt_opts; struct list_head sb_clone_mnt_opts; struct list_head sb_parse_opts_str; struct list_head dentry_init_security; #ifdef CONFIG_SECURITY_PATH struct list_head path_unlink; struct list_head path_mkdir; struct list_head path_rmdir; struct list_head path_mknod; struct list_head path_truncate; struct list_head path_symlink; struct list_head path_link; struct list_head path_rename; struct list_head path_chmod; struct list_head path_chown; struct list_head path_chroot; #endif struct list_head inode_alloc_security; struct list_head inode_free_security; struct list_head inode_init_security; struct list_head inode_create; struct list_head inode_link; struct list_head inode_unlink; struct list_head inode_symlink; struct list_head inode_mkdir; struct list_head inode_rmdir; struct list_head inode_mknod; struct list_head inode_rename; struct list_head inode_readlink; struct list_head inode_follow_link; struct list_head inode_permission; struct list_head inode_setattr; struct list_head inode_getattr; struct list_head inode_setxattr; struct list_head inode_post_setxattr; struct list_head inode_getxattr; struct list_head inode_listxattr; struct list_head inode_removexattr; struct list_head inode_need_killpriv; struct list_head inode_killpriv; struct list_head inode_getsecurity; struct list_head inode_setsecurity; struct list_head inode_listsecurity; struct list_head inode_getsecid; struct list_head file_permission; struct list_head file_alloc_security; struct list_head file_free_security; struct list_head file_ioctl; struct list_head mmap_addr; struct list_head mmap_file; struct list_head file_mprotect; struct list_head file_lock; struct list_head file_fcntl; struct list_head file_set_fowner; struct list_head file_send_sigiotask; struct list_head file_receive; struct list_head file_open; struct list_head task_create; struct list_head task_free; struct list_head cred_alloc_blank; struct list_head cred_free; struct list_head cred_prepare; struct list_head cred_transfer; struct list_head kernel_act_as; struct list_head kernel_create_files_as; struct list_head kernel_fw_from_file; struct list_head kernel_module_request; struct list_head kernel_module_from_file; struct list_head task_fix_setuid; struct list_head task_setpgid; struct list_head task_getpgid; struct list_head task_getsid; struct list_head task_getsecid; struct list_head task_setnice; struct list_head task_setioprio; struct list_head task_getioprio; struct list_head task_setrlimit; struct list_head task_setscheduler; struct list_head task_getscheduler; struct list_head task_movememory; struct list_head task_kill; struct list_head task_wait; struct list_head task_prctl; struct list_head task_to_inode; struct list_head ipc_permission; struct list_head ipc_getsecid; struct list_head msg_msg_alloc_security; struct list_head msg_msg_free_security; struct list_head msg_queue_alloc_security; struct list_head msg_queue_free_security; struct list_head msg_queue_associate; struct list_head msg_queue_msgctl; struct list_head msg_queue_msgsnd; struct list_head msg_queue_msgrcv; struct list_head shm_alloc_security; struct list_head shm_free_security; struct list_head shm_associate; struct list_head shm_shmctl; struct list_head shm_shmat; struct list_head sem_alloc_security; struct list_head sem_free_security; struct list_head sem_associate; struct list_head sem_semctl; struct list_head sem_semop; struct list_head netlink_send; struct list_head d_instantiate; struct list_head getprocattr; struct list_head setprocattr; struct list_head ismaclabel; struct list_head secid_to_secctx; struct list_head secctx_to_secid; struct list_head release_secctx; struct list_head inode_notifysecctx; struct list_head inode_setsecctx; struct list_head inode_getsecctx; #ifdef CONFIG_SECURITY_NETWORK struct list_head unix_stream_connect; struct list_head unix_may_send; struct list_head socket_create; struct list_head socket_post_create; struct list_head socket_bind; struct list_head socket_connect; struct list_head socket_listen; struct list_head socket_accept; struct list_head socket_sendmsg; struct list_head socket_recvmsg; struct list_head socket_getsockname; struct list_head socket_getpeername; struct list_head socket_getsockopt; struct list_head socket_setsockopt; struct list_head socket_shutdown; struct list_head socket_sock_rcv_skb; struct list_head socket_getpeersec_stream; struct list_head socket_getpeersec_dgram; struct list_head sk_alloc_security; struct list_head sk_free_security; struct list_head sk_clone_security; struct list_head sk_getsecid; struct list_head sock_graft; struct list_head inet_conn_request; struct list_head inet_csk_clone; struct list_head inet_conn_established; struct list_head secmark_relabel_packet; struct list_head secmark_refcount_inc; struct list_head secmark_refcount_dec; struct list_head req_classify_flow; struct list_head tun_dev_alloc_security; struct list_head tun_dev_free_security; struct list_head tun_dev_create; struct list_head tun_dev_attach_queue; struct list_head tun_dev_attach; struct list_head tun_dev_open; struct list_head skb_owned_by; #endif /* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_NETWORK_XFRM struct list_head xfrm_policy_alloc_security; struct list_head xfrm_policy_clone_security; struct list_head xfrm_policy_free_security; struct list_head xfrm_policy_delete_security; struct list_head xfrm_state_alloc; struct list_head xfrm_state_alloc_acquire; struct list_head xfrm_state_free_security; struct list_head xfrm_state_delete_security; struct list_head xfrm_policy_lookup; struct list_head xfrm_state_pol_flow_match; struct list_head xfrm_decode_session; #endif /* CONFIG_SECURITY_NETWORK_XFRM */ #ifdef CONFIG_KEYS struct list_head key_alloc; struct list_head key_free; struct list_head key_permission; struct list_head key_getsecurity; #endif /* CONFIG_KEYS */ #ifdef CONFIG_AUDIT struct list_head audit_rule_init; struct list_head audit_rule_known; struct list_head audit_rule_match; struct list_head audit_rule_free; #endif /* CONFIG_AUDIT */ }对应selinux的全集定义:
static struct security_hook_list selinux_hooks[] = { LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), LSM_HOOK_INIT(capget, selinux_capget), LSM_HOOK_INIT(capset, selinux_capset), LSM_HOOK_INIT(capable, selinux_capable), LSM_HOOK_INIT(quotactl, selinux_quotactl), LSM_HOOK_INIT(quota_on, selinux_quota_on), LSM_HOOK_INIT(syslog, selinux_syslog), LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), LSM_HOOK_INIT(netlink_send, selinux_netlink_send), LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds), LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec), LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data), LSM_HOOK_INIT(sb_remount, selinux_sb_remount), LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), LSM_HOOK_INIT(sb_mount, selinux_mount), LSM_HOOK_INIT(sb_umount, selinux_umount), LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str), LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), LSM_HOOK_INIT(inode_create, selinux_inode_create), LSM_HOOK_INIT(inode_link, selinux_inode_link), LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), LSM_HOOK_INIT(inode_rename, selinux_inode_rename), LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), LSM_HOOK_INIT(inode_permission, selinux_inode_permission), LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), LSM_HOOK_INIT(file_permission, selinux_file_permission), LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), LSM_HOOK_INIT(file_free_security, selinux_file_free_security), LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), LSM_HOOK_INIT(mmap_file, selinux_mmap_file), LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), LSM_HOOK_INIT(file_lock, selinux_file_lock), LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), LSM_HOOK_INIT(file_receive, selinux_file_receive), LSM_HOOK_INIT(file_open, selinux_file_open), LSM_HOOK_INIT(task_create, selinux_task_create), LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank), LSM_HOOK_INIT(cred_free, selinux_cred_free), LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), LSM_HOOK_INIT(task_getsid, selinux_task_getsid), LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid), LSM_HOOK_INIT(task_setnice, selinux_task_setnice), LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), LSM_HOOK_INIT(task_movememory, selinux_task_movememory), LSM_HOOK_INIT(task_kill, selinux_task_kill), LSM_HOOK_INIT(task_wait, selinux_task_wait), LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security), LSM_HOOK_INIT(msg_queue_alloc_security, selinux_msg_queue_alloc_security), LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security), LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security), LSM_HOOK_INIT(shm_associate, selinux_shm_associate), LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security), LSM_HOOK_INIT(sem_associate, selinux_sem_associate), LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), LSM_HOOK_INIT(sem_semop, selinux_sem_semop), LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), LSM_HOOK_INIT(getprocattr, selinux_getprocattr), LSM_HOOK_INIT(setprocattr, selinux_setprocattr), LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), LSM_HOOK_INIT(release_secctx, selinux_release_secctx), LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), LSM_HOOK_INIT(socket_create, selinux_socket_create), LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), LSM_HOOK_INIT(socket_bind, selinux_socket_bind), LSM_HOOK_INIT(socket_connect, selinux_socket_connect), LSM_HOOK_INIT(socket_listen, selinux_socket_listen), LSM_HOOK_INIT(socket_accept, selinux_socket_accept), LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), LSM_HOOK_INIT(socket_getpeersec_stream, selinux_socket_getpeersec_stream), LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), LSM_HOOK_INIT(sock_graft, selinux_sock_graft), LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), #ifdef CONFIG_SECURITY_NETWORK_XFRM LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), LSM_HOOK_INIT(xfrm_state_alloc_acquire, selinux_xfrm_state_alloc_acquire), LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), LSM_HOOK_INIT(xfrm_state_pol_flow_match, selinux_xfrm_state_pol_flow_match), LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), #endif #ifdef CONFIG_KEYS LSM_HOOK_INIT(key_alloc, selinux_key_alloc), LSM_HOOK_INIT(key_free, selinux_key_free), LSM_HOOK_INIT(key_permission, selinux_key_permission), LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), #endif #ifdef CONFIG_AUDIT LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), #endif };1.LSM相关知识及理解
