Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 13 Feb 2017 16:31:40 +1100 (AEDT)
From: James Morris <jmorris@...ei.org>
To: linux-security-module@...r.kernel.org
cc: kernel-hardening@...ts.openwall.com
Subject: [RFC PATCH 0/4] ro hardening for the security subsystem

Hi Folks,

Please review/test these patches which add some read-only hardening to the 
security subsystem.

In this series, the following are marked as __ro_after_init:

- LSM hooks
- Netfilter hooks used by security/
- the default IMA rules

I've also constified the SELinux Netlink permission tables, which will 
ensure they're located in an RO section.

---

James Morris (4):
  security: mark LSM hooks as __ro_after_init
  security: mark nf ops in SELinux and Smack as __ro_after_init
  integrity: mark default IMA rules as __ro_after_init
  selinux: constify nlmsg permission tables

 security/apparmor/lsm.c             |    2 +-
 security/commoncap.c                |    2 +-
 security/integrity/ima/ima_policy.c |    8 ++++----
 security/loadpin/loadpin.c          |    2 +-
 security/security.c                 |    2 +-
 security/selinux/hooks.c            |    4 ++--
 security/selinux/nlmsgtab.c         |   10 +++++-----
 security/smack/smack_lsm.c          |    2 +-
 security/smack/smack_netfilter.c    |    2 +-
 security/tomoyo/tomoyo.c            |    2 +-
 security/yama/yama_lsm.c            |    2 +-
 11 files changed, 19 insertions(+), 19 deletions(-)


-- 
James Morris
<jmorris@...ei.org>

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.