James Morris
2017-10-16 06:44:03 UTC
This is a patch against the SELinux namespace work.
Mark the initial SELinux namespace pointer as __ro_after_init, to harden
against malicious overwrite by an attacker.
Signed-off-by: James Morris <***@oracle.com>
---
security/selinux/hooks.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3daad14..98dbf57 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -97,7 +97,7 @@
#include "audit.h"
#include "avc_ss.h"
-struct selinux_ns *init_selinux_ns;
+struct selinux_ns *init_selinux_ns __ro_after_init;
/* SECMARK reference count */
static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
Mark the initial SELinux namespace pointer as __ro_after_init, to harden
against malicious overwrite by an attacker.
Signed-off-by: James Morris <***@oracle.com>
---
security/selinux/hooks.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3daad14..98dbf57 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -97,7 +97,7 @@
#include "audit.h"
#include "avc_ss.h"
-struct selinux_ns *init_selinux_ns;
+struct selinux_ns *init_selinux_ns __ro_after_init;
/* SECMARK reference count */
static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
--
1.8.3.1
--
James Morris
<***@oracle.com>
1.8.3.1
--
James Morris
<***@oracle.com>