Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 13 Feb 2017 16:33:13 +1100 (AEDT)
From: James Morris <jmorris@...ei.org>
To: linux-security-module@...r.kernel.org
cc: kernel-hardening@...ts.openwall.com
Subject: [RFC PATCH 2/4] security: mark nf ops in SELinux and Smack as
 __ro_after_init

Both SELinux and Smack register Netfilter operations during init,
which then don't change.  Mark these ops as __ro_after_init.

Signed-off-by: James Morris <james.l.morris@...cle.com>
---
 security/selinux/hooks.c         |    2 +-
 security/smack/smack_netfilter.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 9599e97..37a7866 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6379,7 +6379,7 @@ void selinux_complete_init(void)
 
 #if defined(CONFIG_NETFILTER)
 
-static struct nf_hook_ops selinux_nf_ops[] = {
+static struct nf_hook_ops selinux_nf_ops[] __ro_after_init = {
 	{
 		.hook =		selinux_ipv4_postroute,
 		.pf =		NFPROTO_IPV4,
diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
index 205b785..b945f2c 100644
--- a/security/smack/smack_netfilter.c
+++ b/security/smack/smack_netfilter.c
@@ -57,7 +57,7 @@ static unsigned int smack_ipv4_output(void *priv,
 	return NF_ACCEPT;
 }
 
-static struct nf_hook_ops smack_nf_ops[] = {
+static struct nf_hook_ops smack_nf_ops[] __ro_after_init = {
 	{
 		.hook =		smack_ipv4_output,
 		.pf =		NFPROTO_IPV4,
-- 
1.7.1

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.