Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <201702140705.FIJ18206.FOtJOHFFLMSVQO@I-love.SAKURA.ne.jp>
Date: Tue, 14 Feb 2017 07:05:39 +0900
From: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
To: keescook@...omium.org, casey@...aufler-ca.com
Cc: sds@...ho.nsa.gov, jmorris@...ei.org,
        linux-security-module@...r.kernel.org,
        kernel-hardening@...ts.openwall.com, paul@...l-moore.com
Subject: Re: Re: [RFC PATCH 2/4] security: mark nf ops inSELinux and Smack as __ro_after_init

Kees Cook wrote:
> On Mon, Feb 13, 2017 at 1:32 PM, Casey Schaufler <casey@...aufler-ca.com> wrote:
> > If we changed CONFIG_SECURITY_SELINUX_DISABLE to
> > CONFIG_SECURITY_DYNAMIC_MODULES and put the __ro_after_init
> > under !CONFIG_SECURITY_DYNAMIC_MODULES we solve both the
> > current and potential future issues.
> 
> Something like...
> 
> #ifdef CONFIG_SECURITY_DYNAMIC_LSM
> # define lsm_ro_after_init __ro_after_init
> # define lsm_const         const
> #else
> # define lsm_ro_after_init
> # define lsm_const
> #endif
> 
> ?

Fedora/RHEL won't use CONFIG_SECURITY_DYNAMIC_LSM=y whereas
LKM based LSMs are targeted for such distributions.

I don't worry much about Android, for manufactures who ship their
products with TOMOYO enabled can rebuild their kernels. But asking
for rebuild of Fedora/RHEL kernels to end users is too painful.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.