[PATCH] security: Export few symbols referred by other modules

[PATCH] security: Export few symbols referred by other modules

[Hareesh Gundu]

Export mmap_min_addr and security_mmap_addr() to allow
kernel modules to use them.

Signed-off-by: Hareesh Gundu <hareeshg@codeaurora.org>
---
 security/min_addr.c | 1 +
 security/security.c | 1 +
 2 files changed, 2 insertions(+)

diff --git a/security/min_addr.c b/security/min_addr.c
index 94d2b0c..4653711 100644
--- a/security/min_addr.c
+++ b/security/min_addr.c
@@ -6,6 +6,7 @@
 
 /* amount of vm to protect from userspace access by both DAC and the LSM*/
 unsigned long mmap_min_addr;
+EXPORT_SYMBOL(mmap_min_addr);
 /* amount of vm to protect from userspace using CAP_SYS_RAWIO (DAC) */
 unsigned long dac_mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
 /* amount of vm to protect from userspace using the LSM = CONFIG_LSM_MMAP_MIN_ADDR */
diff --git a/security/security.c b/security/security.c
index 1cd8526..27874a3 100644
--- a/security/security.c
+++ b/security/security.c
@@ -931,6 +931,7 @@ int security_mmap_addr(unsigned long addr)
 {
 	return call_int_hook(mmap_addr, 0, addr);
 }
+EXPORT_SYMBOL(security_mmap_addr);
 
 int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
 			    unsigned long prot)
-- 
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] security: Export few symbols referred by other modules

[James Morris]

On Tue, 5 Dec 2017, Hareesh Gundu wrote:

> Export mmap_min_addr and security_mmap_addr() to allow
> kernel modules to use them.
> 
> Signed-off-by: Hareesh Gundu <hareeshg@codeaurora.org>

I'm not sure whether this should be EXPORT_SYMBOL or EXPORT_SYMBOL_GPL, as 
this hook was added in 2009, well after EXPORT_SYMBOL_GPL came into being.

Most of the LSM hooks are marked EXPORT_SYMBOL because they were part of 
an existing interface when EXPORT_SYMBOL_GPL was introduced, IIRC.

What do folks think?




> ---
>  security/min_addr.c | 1 +
>  security/security.c | 1 +
>  2 files changed, 2 insertions(+)
> 
> diff --git a/security/min_addr.c b/security/min_addr.c
> index 94d2b0c..4653711 100644
> --- a/security/min_addr.c
> +++ b/security/min_addr.c
> @@ -6,6 +6,7 @@
>  
>  /* amount of vm to protect from userspace access by both DAC and the LSM*/
>  unsigned long mmap_min_addr;
> +EXPORT_SYMBOL(mmap_min_addr);
>  /* amount of vm to protect from userspace using CAP_SYS_RAWIO (DAC) */
>  unsigned long dac_mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
>  /* amount of vm to protect from userspace using the LSM = CONFIG_LSM_MMAP_MIN_ADDR */
> diff --git a/security/security.c b/security/security.c
> index 1cd8526..27874a3 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -931,6 +931,7 @@ int security_mmap_addr(unsigned long addr)
>  {
>  	return call_int_hook(mmap_addr, 0, addr);
>  }
> +EXPORT_SYMBOL(security_mmap_addr);
>  
>  int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
>  			    unsigned long prot)
> -- 
> 1.9.1
> 

-- 
James Morris
<james.l.morris@oracle.com>

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] security: Export few symbols referred by other modules

[Tetsuo Handa]

James Morris wrote:
> On Tue, 5 Dec 2017, Hareesh Gundu wrote:
> 
> > Export mmap_min_addr and security_mmap_addr() to allow
> > kernel modules to use them.
> > 
> > Signed-off-by: Hareesh Gundu <hareeshg@codeaurora.org>
> 
> I'm not sure whether this should be EXPORT_SYMBOL or EXPORT_SYMBOL_GPL, as 
> this hook was added in 2009, well after EXPORT_SYMBOL_GPL came into being.
> 
> Most of the LSM hooks are marked EXPORT_SYMBOL because they were part of 
> an existing interface when EXPORT_SYMBOL_GPL was introduced, IIRC.
> 
> What do folks think?
> 
We don't export symbols not used by in-tree modules.
Which in-tree module needs to access these symbols?
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] security: Export few symbols referred by other modules

[Greg KH]

On Tue, Dec 05, 2017 at 11:04:35PM +1100, James Morris wrote:
> On Tue, 5 Dec 2017, Hareesh Gundu wrote:
> 
> > Export mmap_min_addr and security_mmap_addr() to allow
> > kernel modules to use them.

What in-tree kernel module needs these symbols?

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] security: Export few symbols referred by other modules

[Hareesh Gundu]

On 12/5/2017 6:51 PM, Tetsuo Handa wrote:
> James Morris wrote:
>> On Tue, 5 Dec 2017, Hareesh Gundu wrote:
>>
>>> Export mmap_min_addr and security_mmap_addr() to allow
>>> kernel modules to use them.
>>>
>>> Signed-off-by: Hareesh Gundu <hareeshg@codeaurora.org>
Can other folks comment whether this should be EXPORT_SYMBOL or 
EXPORT_SYMBOL_GPL ?
>> I'm not sure whether this should be EXPORT_SYMBOL or EXPORT_SYMBOL_GPL, as
>> this hook was added in 2009, well after EXPORT_SYMBOL_GPL came into being.
>>
>> Most of the LSM hooks are marked EXPORT_SYMBOL because they were part of
>> an existing interface when EXPORT_SYMBOL_GPL was introduced, IIRC.
>>
>> What do folks think?
>>
 ?That's right, This change is for outside kernel tree modules.
> We don't export symbols not used by in-tree modules.
> Which in-tree module needs to access these symbols?
>

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] security: Export few symbols referred by other modules

[Greg KH]

On Wed, Dec 06, 2017 at 08:45:01PM +0530, Hareesh Gundu wrote:
> On 12/5/2017 6:51 PM, Tetsuo Handa wrote:
> > James Morris wrote:
> > > On Tue, 5 Dec 2017, Hareesh Gundu wrote:
> > > 
> > > > Export mmap_min_addr and security_mmap_addr() to allow
> > > > kernel modules to use them.
> > > > 
> > > > Signed-off-by: Hareesh Gundu <hareeshg@codeaurora.org>
> Can other folks comment whether this should be EXPORT_SYMBOL or
> EXPORT_SYMBOL_GPL ?

What do you think?

> > > I'm not sure whether this should be EXPORT_SYMBOL or EXPORT_SYMBOL_GPL, as
> > > this hook was added in 2009, well after EXPORT_SYMBOL_GPL came into being.
> > > 
> > > Most of the LSM hooks are marked EXPORT_SYMBOL because they were part of
> > > an existing interface when EXPORT_SYMBOL_GPL was introduced, IIRC.
> > > 
> > > What do folks think?
> > > 
> ?That's right, This change is for outside kernel tree modules.

Then it should not be exported at all, sorry.

Please work to get your code merged into the kernel tree and then it can
be exported properly for it.  Odds are, you don't really need these
symbols, as {hint}, no one else does...

sorry,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] security: Export few symbols referred by other modules

[James Morris]

On Wed, 6 Dec 2017, Greg KH wrote:

> On Wed, Dec 06, 2017 at 08:45:01PM +0530, Hareesh Gundu wrote:
> > On 12/5/2017 6:51 PM, Tetsuo Handa wrote:
> > > James Morris wrote:
> > > > On Tue, 5 Dec 2017, Hareesh Gundu wrote:
> > > > 
> > > > > Export mmap_min_addr and security_mmap_addr() to allow
> > > > > kernel modules to use them.
> > > > > 
> > > > > Signed-off-by: Hareesh Gundu <hareeshg@codeaurora.org>
> > Can other folks comment whether this should be EXPORT_SYMBOL or
> > EXPORT_SYMBOL_GPL ?
> 
> What do you think?

The API has some EXPORT_SYMBOLs already and it's probably not useful to 
add any EXPORT_SYMBOL_GPLs on a technical level, as you can't use the API 
with just those.

In terms of documenting developer intent, it may make a difference.

So, what I would propose is that for new hooks which are exported, the 
author can specify which type of export.  In the case of hooks which were 
added after EXPORT_SYMBOL_GPL was merged, and which are only now being 
exported, ask the original author of the hook to decide, otherwise default 
to EXPORT_SYMBOL, which is consistent with the most of the existing API.

For pre-EXPORT_SYMBOL_GPL hooks, if they need to be exported, continue to 
do so as EXPORT_SYMBOL.

And obviously all of the above is contingent on having in-tree users of 
exported hooks.




- James
-- 
James Morris
<james.l.morris@oracle.com>

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html