diff mbox

[RFC] selinuxns: mark init_selinux_ns as __ro_after_init

Message ID alpine.LFD.2.20.1710161736340.9932@t440.gateway.2wire.net (mailing list archive)
State RFC
Headers show

Commit Message

James Morris Oct. 16, 2017, 6:44 a.m. UTC 
This is a patch against the SELinux namespace work.

Mark the initial SELinux namespace pointer as __ro_after_init, to harden 
against malicious overwrite by an attacker.

Signed-off-by: James Morris <james.l.morris@oracle.com>
---
 security/selinux/hooks.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Stephen Smalley Oct. 16, 2017, 4:27 p.m. UTC | #1 
On Mon, 2017-10-16 at 17:44 +1100, James Morris wrote:
> This is a patch against the SELinux namespace work.
> 
> Mark the initial SELinux namespace pointer as __ro_after_init, to
> harden 
> against malicious overwrite by an attacker.
> 
> Signed-off-by: James Morris <james.l.morris@oracle.com>

Thanks, this looks fine; I can apply it on my branch if you want.
Note however that at this point, I am looking more for design
discussion and resolution of the problems noted in the patch
descriptions for the existing patches, and anticipate many of those
patches being substantially rewritten or discarded in any final
versiopn.  This particular patch however could likely be rebased on top
of the first patch in the series and wouldn't be affected by such
changes.

> ---
>  security/selinux/hooks.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 3daad14..98dbf57 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -97,7 +97,7 @@
>  #include "audit.h"
>  #include "avc_ss.h"
>  
> -struct selinux_ns *init_selinux_ns;
> +struct selinux_ns *init_selinux_ns __ro_after_init;
>  
>  /* SECMARK reference count */
>  static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
> -- 
> 1.8.3.1
> 
>
diff mbox

Patch

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3daad14..98dbf57 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -97,7 +97,7 @@ 
 #include "audit.h"
 #include "avc_ss.h"
 
-struct selinux_ns *init_selinux_ns;
+struct selinux_ns *init_selinux_ns __ro_after_init;
 
 /* SECMARK reference count */
 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);