| Message ID | 1512471537-23865-1-git-send-email-hareeshg@codeaurora.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Tue, 5 Dec 2017, Hareesh Gundu wrote: > Export mmap_min_addr and security_mmap_addr() to allow > kernel modules to use them. > > Signed-off-by: Hareesh Gundu <hareeshg@codeaurora.org> I'm not sure whether this should be EXPORT_SYMBOL or EXPORT_SYMBOL_GPL, as this hook was added in 2009, well after EXPORT_SYMBOL_GPL came into being. Most of the LSM hooks are marked EXPORT_SYMBOL because they were part of an existing interface when EXPORT_SYMBOL_GPL was introduced, IIRC. What do folks think? > --- > security/min_addr.c | 1 + > security/security.c | 1 + > 2 files changed, 2 insertions(+) > > diff --git a/security/min_addr.c b/security/min_addr.c > index 94d2b0c..4653711 100644 > --- a/security/min_addr.c > +++ b/security/min_addr.c > @@ -6,6 +6,7 @@ > > /* amount of vm to protect from userspace access by both DAC and the LSM*/ > unsigned long mmap_min_addr; > +EXPORT_SYMBOL(mmap_min_addr); > /* amount of vm to protect from userspace using CAP_SYS_RAWIO (DAC) */ > unsigned long dac_mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR; > /* amount of vm to protect from userspace using the LSM = CONFIG_LSM_MMAP_MIN_ADDR */ > diff --git a/security/security.c b/security/security.c > index 1cd8526..27874a3 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -931,6 +931,7 @@ int security_mmap_addr(unsigned long addr) > { > return call_int_hook(mmap_addr, 0, addr); > } > +EXPORT_SYMBOL(security_mmap_addr); > > int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, > unsigned long prot) > -- > 1.9.1 >
James Morris wrote: > On Tue, 5 Dec 2017, Hareesh Gundu wrote: > > > Export mmap_min_addr and security_mmap_addr() to allow > > kernel modules to use them. > > > > Signed-off-by: Hareesh Gundu <hareeshg@codeaurora.org> > > I'm not sure whether this should be EXPORT_SYMBOL or EXPORT_SYMBOL_GPL, as > this hook was added in 2009, well after EXPORT_SYMBOL_GPL came into being. > > Most of the LSM hooks are marked EXPORT_SYMBOL because they were part of > an existing interface when EXPORT_SYMBOL_GPL was introduced, IIRC. > > What do folks think? > We don't export symbols not used by in-tree modules. Which in-tree module needs to access these symbols? -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Dec 05, 2017 at 11:04:35PM +1100, James Morris wrote: > On Tue, 5 Dec 2017, Hareesh Gundu wrote: > > > Export mmap_min_addr and security_mmap_addr() to allow > > kernel modules to use them. What in-tree kernel module needs these symbols? thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 12/5/2017 6:51 PM, Tetsuo Handa wrote: > James Morris wrote: >> On Tue, 5 Dec 2017, Hareesh Gundu wrote: >> >>> Export mmap_min_addr and security_mmap_addr() to allow >>> kernel modules to use them. >>> >>> Signed-off-by: Hareesh Gundu <hareeshg@codeaurora.org> Can other folks comment whether this should be EXPORT_SYMBOL or EXPORT_SYMBOL_GPL ? >> I'm not sure whether this should be EXPORT_SYMBOL or EXPORT_SYMBOL_GPL, as >> this hook was added in 2009, well after EXPORT_SYMBOL_GPL came into being. >> >> Most of the LSM hooks are marked EXPORT_SYMBOL because they were part of >> an existing interface when EXPORT_SYMBOL_GPL was introduced, IIRC. >> >> What do folks think? >> That's right, This change is for outside kernel tree modules. > We don't export symbols not used by in-tree modules. > Which in-tree module needs to access these symbols? > -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Dec 06, 2017 at 08:45:01PM +0530, Hareesh Gundu wrote: > On 12/5/2017 6:51 PM, Tetsuo Handa wrote: > > James Morris wrote: > > > On Tue, 5 Dec 2017, Hareesh Gundu wrote: > > > > > > > Export mmap_min_addr and security_mmap_addr() to allow > > > > kernel modules to use them. > > > > > > > > Signed-off-by: Hareesh Gundu <hareeshg@codeaurora.org> > Can other folks comment whether this should be EXPORT_SYMBOL or > EXPORT_SYMBOL_GPL ? What do you think? > > > I'm not sure whether this should be EXPORT_SYMBOL or EXPORT_SYMBOL_GPL, as > > > this hook was added in 2009, well after EXPORT_SYMBOL_GPL came into being. > > > > > > Most of the LSM hooks are marked EXPORT_SYMBOL because they were part of > > > an existing interface when EXPORT_SYMBOL_GPL was introduced, IIRC. > > > > > > What do folks think? > > > > That's right, This change is for outside kernel tree modules. Then it should not be exported at all, sorry. Please work to get your code merged into the kernel tree and then it can be exported properly for it. Odds are, you don't really need these symbols, as {hint}, no one else does... sorry, greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, 6 Dec 2017, Greg KH wrote: > On Wed, Dec 06, 2017 at 08:45:01PM +0530, Hareesh Gundu wrote: > > On 12/5/2017 6:51 PM, Tetsuo Handa wrote: > > > James Morris wrote: > > > > On Tue, 5 Dec 2017, Hareesh Gundu wrote: > > > > > > > > > Export mmap_min_addr and security_mmap_addr() to allow > > > > > kernel modules to use them. > > > > > > > > > > Signed-off-by: Hareesh Gundu <hareeshg@codeaurora.org> > > Can other folks comment whether this should be EXPORT_SYMBOL or > > EXPORT_SYMBOL_GPL ? > > What do you think? The API has some EXPORT_SYMBOLs already and it's probably not useful to add any EXPORT_SYMBOL_GPLs on a technical level, as you can't use the API with just those. In terms of documenting developer intent, it may make a difference. So, what I would propose is that for new hooks which are exported, the author can specify which type of export. In the case of hooks which were added after EXPORT_SYMBOL_GPL was merged, and which are only now being exported, ask the original author of the hook to decide, otherwise default to EXPORT_SYMBOL, which is consistent with the most of the existing API. For pre-EXPORT_SYMBOL_GPL hooks, if they need to be exported, continue to do so as EXPORT_SYMBOL. And obviously all of the above is contingent on having in-tree users of exported hooks. - James
diff --git a/security/min_addr.c b/security/min_addr.c index 94d2b0c..4653711 100644 --- a/security/min_addr.c +++ b/security/min_addr.c @@ -6,6 +6,7 @@ /* amount of vm to protect from userspace access by both DAC and the LSM*/ unsigned long mmap_min_addr; +EXPORT_SYMBOL(mmap_min_addr); /* amount of vm to protect from userspace using CAP_SYS_RAWIO (DAC) */ unsigned long dac_mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR; /* amount of vm to protect from userspace using the LSM = CONFIG_LSM_MMAP_MIN_ADDR */ diff --git a/security/security.c b/security/security.c index 1cd8526..27874a3 100644 --- a/security/security.c +++ b/security/security.c @@ -931,6 +931,7 @@ int security_mmap_addr(unsigned long addr) { return call_int_hook(mmap_addr, 0, addr); } +EXPORT_SYMBOL(security_mmap_addr); int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, unsigned long prot)
Export mmap_min_addr and security_mmap_addr() to allow kernel modules to use them. Signed-off-by: Hareesh Gundu <hareeshg@codeaurora.org> --- security/min_addr.c | 1 + security/security.c | 1 + 2 files changed, 2 insertions(+)