[kernel-hardening] [RFC PATCH 4/4] selinux: constify nlmsg permission tables

All of lore.kernel.org
 help / color / mirror / Atom feed

* [kernel-hardening] [RFC PATCH 4/4] selinux: constify nlmsg permission tables
@ 2017-02-13  5:35 James Morris
  2017-02-14  0:19   ` [kernel-hardening] " Paul Moore
  0 siblings, 1 reply; 5+ messages in thread
From: James Morris @ 2017-02-13  5:35 UTC (permalink / raw)
  To: linux-security-module; +Cc: kernel-hardening, Paul Moore, Stephen Smalley

Constify nlmsg permission tables, which are initialized once
and then do not change.

Signed-off-by: James Morris <james.l.morris@oracle.com>
---
 security/selinux/nlmsgtab.c |   10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index 2ca9cde..57e2596 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -28,7 +28,7 @@ struct nlmsg_perm {
 	u32	perm;
 };
 
-static struct nlmsg_perm nlmsg_route_perms[] =
+static const struct nlmsg_perm nlmsg_route_perms[] =
 {
 	{ RTM_NEWLINK,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
 	{ RTM_DELLINK,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
@@ -80,7 +80,7 @@ struct nlmsg_perm {
 	{ RTM_GETSTATS,		NETLINK_ROUTE_SOCKET__NLMSG_READ  },
 };
 
-static struct nlmsg_perm nlmsg_tcpdiag_perms[] =
+static const struct nlmsg_perm nlmsg_tcpdiag_perms[] =
 {
 	{ TCPDIAG_GETSOCK,	NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
 	{ DCCPDIAG_GETSOCK,	NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
@@ -88,7 +88,7 @@ struct nlmsg_perm {
 	{ SOCK_DESTROY,		NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE },
 };
 
-static struct nlmsg_perm nlmsg_xfrm_perms[] =
+static const struct nlmsg_perm nlmsg_xfrm_perms[] =
 {
 	{ XFRM_MSG_NEWSA,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },
 	{ XFRM_MSG_DELSA,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },
@@ -115,7 +115,7 @@ struct nlmsg_perm {
 	{ XFRM_MSG_MAPPING,	NETLINK_XFRM_SOCKET__NLMSG_READ  },
 };
 
-static struct nlmsg_perm nlmsg_audit_perms[] =
+static const struct nlmsg_perm nlmsg_audit_perms[] =
 {
 	{ AUDIT_GET,		NETLINK_AUDIT_SOCKET__NLMSG_READ     },
 	{ AUDIT_SET,		NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
@@ -136,7 +136,7 @@ struct nlmsg_perm {
 };
 
 
-static int nlmsg_perm(u16 nlmsg_type, u32 *perm, struct nlmsg_perm *tab, size_t tabsize)
+static int nlmsg_perm(u16 nlmsg_type, u32 *perm, const struct nlmsg_perm *tab, size_t tabsize)
 {
 	int i, err = -EINVAL;
 
-- 
1.7.1

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [RFC PATCH 4/4] selinux: constify nlmsg permission tables
  2017-02-13  5:35 [kernel-hardening] [RFC PATCH 4/4] selinux: constify nlmsg permission tables James Morris
@ 2017-02-14  0:19   ` Paul Moore
  0 siblings, 0 replies; 5+ messages in thread
From: Paul Moore @ 2017-02-14  0:19 UTC (permalink / raw)
  To: James Morris
  Cc: linux-security-module, kernel-hardening, Stephen Smalley, selinux

On Mon, Feb 13, 2017 at 12:35 AM, James Morris <jmorris@namei.org> wrote:
> Constify nlmsg permission tables, which are initialized once
> and then do not change.
>
> Signed-off-by: James Morris <james.l.morris@oracle.com>
> ---
>  security/selinux/nlmsgtab.c |   10 +++++-----
>  1 files changed, 5 insertions(+), 5 deletions(-)

The SELinux list should have been CC'd on this patch - come on James,
you know better ;)

Normally I push patches this close to the merge window out until after
the merge window, but this is trivial and easily verified by the
compiler so I've merged this.

James, if you want to grab it for v4.11 you can pull from the tree below:

git://git.infradead.org/users/pcmoore/selinux stable-4.11

> diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
> index 2ca9cde..57e2596 100644
> --- a/security/selinux/nlmsgtab.c
> +++ b/security/selinux/nlmsgtab.c
> @@ -28,7 +28,7 @@ struct nlmsg_perm {
>         u32     perm;
>  };
>
> -static struct nlmsg_perm nlmsg_route_perms[] =
> +static const struct nlmsg_perm nlmsg_route_perms[] =
>  {
>         { RTM_NEWLINK,          NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
>         { RTM_DELLINK,          NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
> @@ -80,7 +80,7 @@ struct nlmsg_perm {
>         { RTM_GETSTATS,         NETLINK_ROUTE_SOCKET__NLMSG_READ  },
>  };
>
> -static struct nlmsg_perm nlmsg_tcpdiag_perms[] =
> +static const struct nlmsg_perm nlmsg_tcpdiag_perms[] =
>  {
>         { TCPDIAG_GETSOCK,      NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
>         { DCCPDIAG_GETSOCK,     NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
> @@ -88,7 +88,7 @@ struct nlmsg_perm {
>         { SOCK_DESTROY,         NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE },
>  };
>
> -static struct nlmsg_perm nlmsg_xfrm_perms[] =
> +static const struct nlmsg_perm nlmsg_xfrm_perms[] =
>  {
>         { XFRM_MSG_NEWSA,       NETLINK_XFRM_SOCKET__NLMSG_WRITE },
>         { XFRM_MSG_DELSA,       NETLINK_XFRM_SOCKET__NLMSG_WRITE },
> @@ -115,7 +115,7 @@ struct nlmsg_perm {
>         { XFRM_MSG_MAPPING,     NETLINK_XFRM_SOCKET__NLMSG_READ  },
>  };
>
> -static struct nlmsg_perm nlmsg_audit_perms[] =
> +static const struct nlmsg_perm nlmsg_audit_perms[] =
>  {
>         { AUDIT_GET,            NETLINK_AUDIT_SOCKET__NLMSG_READ     },
>         { AUDIT_SET,            NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
> @@ -136,7 +136,7 @@ struct nlmsg_perm {
>  };
>
>
> -static int nlmsg_perm(u16 nlmsg_type, u32 *perm, struct nlmsg_perm *tab, size_t tabsize)
> +static int nlmsg_perm(u16 nlmsg_type, u32 *perm, const struct nlmsg_perm *tab, size_t tabsize)
>  {
>         int i, err = -EINVAL;
>
> --
> 1.7.1
>

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [kernel-hardening] Re: [RFC PATCH 4/4] selinux: constify nlmsg permission tables
@ 2017-02-14  0:19   ` Paul Moore
  0 siblings, 0 replies; 5+ messages in thread
From: Paul Moore @ 2017-02-14  0:19 UTC (permalink / raw)
  To: James Morris
  Cc: linux-security-module, kernel-hardening, Stephen Smalley, selinux

On Mon, Feb 13, 2017 at 12:35 AM, James Morris <jmorris@namei.org> wrote:
> Constify nlmsg permission tables, which are initialized once
> and then do not change.
>
> Signed-off-by: James Morris <james.l.morris@oracle.com>
> ---
>  security/selinux/nlmsgtab.c |   10 +++++-----
>  1 files changed, 5 insertions(+), 5 deletions(-)

The SELinux list should have been CC'd on this patch - come on James,
you know better ;)

Normally I push patches this close to the merge window out until after
the merge window, but this is trivial and easily verified by the
compiler so I've merged this.

James, if you want to grab it for v4.11 you can pull from the tree below:

git://git.infradead.org/users/pcmoore/selinux stable-4.11

> diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
> index 2ca9cde..57e2596 100644
> --- a/security/selinux/nlmsgtab.c
> +++ b/security/selinux/nlmsgtab.c
> @@ -28,7 +28,7 @@ struct nlmsg_perm {
>         u32     perm;
>  };
>
> -static struct nlmsg_perm nlmsg_route_perms[] =
> +static const struct nlmsg_perm nlmsg_route_perms[] =
>  {
>         { RTM_NEWLINK,          NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
>         { RTM_DELLINK,          NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
> @@ -80,7 +80,7 @@ struct nlmsg_perm {
>         { RTM_GETSTATS,         NETLINK_ROUTE_SOCKET__NLMSG_READ  },
>  };
>
> -static struct nlmsg_perm nlmsg_tcpdiag_perms[] =
> +static const struct nlmsg_perm nlmsg_tcpdiag_perms[] =
>  {
>         { TCPDIAG_GETSOCK,      NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
>         { DCCPDIAG_GETSOCK,     NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
> @@ -88,7 +88,7 @@ struct nlmsg_perm {
>         { SOCK_DESTROY,         NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE },
>  };
>
> -static struct nlmsg_perm nlmsg_xfrm_perms[] =
> +static const struct nlmsg_perm nlmsg_xfrm_perms[] =
>  {
>         { XFRM_MSG_NEWSA,       NETLINK_XFRM_SOCKET__NLMSG_WRITE },
>         { XFRM_MSG_DELSA,       NETLINK_XFRM_SOCKET__NLMSG_WRITE },
> @@ -115,7 +115,7 @@ struct nlmsg_perm {
>         { XFRM_MSG_MAPPING,     NETLINK_XFRM_SOCKET__NLMSG_READ  },
>  };
>
> -static struct nlmsg_perm nlmsg_audit_perms[] =
> +static const struct nlmsg_perm nlmsg_audit_perms[] =
>  {
>         { AUDIT_GET,            NETLINK_AUDIT_SOCKET__NLMSG_READ     },
>         { AUDIT_SET,            NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
> @@ -136,7 +136,7 @@ struct nlmsg_perm {
>  };
>
>
> -static int nlmsg_perm(u16 nlmsg_type, u32 *perm, struct nlmsg_perm *tab, size_t tabsize)
> +static int nlmsg_perm(u16 nlmsg_type, u32 *perm, const struct nlmsg_perm *tab, size_t tabsize)
>  {
>         int i, err = -EINVAL;
>
> --
> 1.7.1
>

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [RFC PATCH 4/4] selinux: constify nlmsg permission tables
  2017-02-14  0:19   ` [kernel-hardening] " Paul Moore
@ 2017-02-28 21:15     ` Paul Moore
  -1 siblings, 0 replies; 5+ messages in thread
From: Paul Moore @ 2017-02-28 21:15 UTC (permalink / raw)
  To: selinux
  Cc: linux-security-module, kernel-hardening, Stephen Smalley, James Morris

On Mon, Feb 13, 2017 at 7:19 PM, Paul Moore <paul@paul-moore.com> wrote:
> On Mon, Feb 13, 2017 at 12:35 AM, James Morris <jmorris@namei.org> wrote:
>> Constify nlmsg permission tables, which are initialized once
>> and then do not change.
>>
>> Signed-off-by: James Morris <james.l.morris@oracle.com>
>> ---
>>  security/selinux/nlmsgtab.c |   10 +++++-----
>>  1 files changed, 5 insertions(+), 5 deletions(-)
>
> The SELinux list should have been CC'd on this patch - come on James,
> you know better ;)
>
> Normally I push patches this close to the merge window out until after
> the merge window, but this is trivial and easily verified by the
> compiler so I've merged this.
>
> James, if you want to grab it for v4.11 you can pull from the tree below:
>
> git://git.infradead.org/users/pcmoore/selinux stable-4.11

It doesn't appear that James picked this up for v4.11 so I've moved it
from the selinux/stable-4.11 branch to the selinux/next branch.  We'll
get it upstream during the next merge window.

>> diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
>> index 2ca9cde..57e2596 100644
>> --- a/security/selinux/nlmsgtab.c
>> +++ b/security/selinux/nlmsgtab.c
>> @@ -28,7 +28,7 @@ struct nlmsg_perm {
>>         u32     perm;
>>  };
>>
>> -static struct nlmsg_perm nlmsg_route_perms[] =
>> +static const struct nlmsg_perm nlmsg_route_perms[] =
>>  {
>>         { RTM_NEWLINK,          NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
>>         { RTM_DELLINK,          NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
>> @@ -80,7 +80,7 @@ struct nlmsg_perm {
>>         { RTM_GETSTATS,         NETLINK_ROUTE_SOCKET__NLMSG_READ  },
>>  };
>>
>> -static struct nlmsg_perm nlmsg_tcpdiag_perms[] =
>> +static const struct nlmsg_perm nlmsg_tcpdiag_perms[] =
>>  {
>>         { TCPDIAG_GETSOCK,      NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
>>         { DCCPDIAG_GETSOCK,     NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
>> @@ -88,7 +88,7 @@ struct nlmsg_perm {
>>         { SOCK_DESTROY,         NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE },
>>  };
>>
>> -static struct nlmsg_perm nlmsg_xfrm_perms[] =
>> +static const struct nlmsg_perm nlmsg_xfrm_perms[] =
>>  {
>>         { XFRM_MSG_NEWSA,       NETLINK_XFRM_SOCKET__NLMSG_WRITE },
>>         { XFRM_MSG_DELSA,       NETLINK_XFRM_SOCKET__NLMSG_WRITE },
>> @@ -115,7 +115,7 @@ struct nlmsg_perm {
>>         { XFRM_MSG_MAPPING,     NETLINK_XFRM_SOCKET__NLMSG_READ  },
>>  };
>>
>> -static struct nlmsg_perm nlmsg_audit_perms[] =
>> +static const struct nlmsg_perm nlmsg_audit_perms[] =
>>  {
>>         { AUDIT_GET,            NETLINK_AUDIT_SOCKET__NLMSG_READ     },
>>         { AUDIT_SET,            NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
>> @@ -136,7 +136,7 @@ struct nlmsg_perm {
>>  };
>>
>>
>> -static int nlmsg_perm(u16 nlmsg_type, u32 *perm, struct nlmsg_perm *tab, size_t tabsize)
>> +static int nlmsg_perm(u16 nlmsg_type, u32 *perm, const struct nlmsg_perm *tab, size_t tabsize)
>>  {
>>         int i, err = -EINVAL;
>>

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [kernel-hardening] Re: [RFC PATCH 4/4] selinux: constify nlmsg permission tables
@ 2017-02-28 21:15     ` Paul Moore
  0 siblings, 0 replies; 5+ messages in thread
From: Paul Moore @ 2017-02-28 21:15 UTC (permalink / raw)
  To: selinux
  Cc: linux-security-module, kernel-hardening, Stephen Smalley, James Morris

On Mon, Feb 13, 2017 at 7:19 PM, Paul Moore <paul@paul-moore.com> wrote:
> On Mon, Feb 13, 2017 at 12:35 AM, James Morris <jmorris@namei.org> wrote:
>> Constify nlmsg permission tables, which are initialized once
>> and then do not change.
>>
>> Signed-off-by: James Morris <james.l.morris@oracle.com>
>> ---
>>  security/selinux/nlmsgtab.c |   10 +++++-----
>>  1 files changed, 5 insertions(+), 5 deletions(-)
>
> The SELinux list should have been CC'd on this patch - come on James,
> you know better ;)
>
> Normally I push patches this close to the merge window out until after
> the merge window, but this is trivial and easily verified by the
> compiler so I've merged this.
>
> James, if you want to grab it for v4.11 you can pull from the tree below:
>
> git://git.infradead.org/users/pcmoore/selinux stable-4.11

It doesn't appear that James picked this up for v4.11 so I've moved it
from the selinux/stable-4.11 branch to the selinux/next branch.  We'll
get it upstream during the next merge window.

>> diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
>> index 2ca9cde..57e2596 100644
>> --- a/security/selinux/nlmsgtab.c
>> +++ b/security/selinux/nlmsgtab.c
>> @@ -28,7 +28,7 @@ struct nlmsg_perm {
>>         u32     perm;
>>  };
>>
>> -static struct nlmsg_perm nlmsg_route_perms[] =
>> +static const struct nlmsg_perm nlmsg_route_perms[] =
>>  {
>>         { RTM_NEWLINK,          NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
>>         { RTM_DELLINK,          NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
>> @@ -80,7 +80,7 @@ struct nlmsg_perm {
>>         { RTM_GETSTATS,         NETLINK_ROUTE_SOCKET__NLMSG_READ  },
>>  };
>>
>> -static struct nlmsg_perm nlmsg_tcpdiag_perms[] =
>> +static const struct nlmsg_perm nlmsg_tcpdiag_perms[] =
>>  {
>>         { TCPDIAG_GETSOCK,      NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
>>         { DCCPDIAG_GETSOCK,     NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
>> @@ -88,7 +88,7 @@ struct nlmsg_perm {
>>         { SOCK_DESTROY,         NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE },
>>  };
>>
>> -static struct nlmsg_perm nlmsg_xfrm_perms[] =
>> +static const struct nlmsg_perm nlmsg_xfrm_perms[] =
>>  {
>>         { XFRM_MSG_NEWSA,       NETLINK_XFRM_SOCKET__NLMSG_WRITE },
>>         { XFRM_MSG_DELSA,       NETLINK_XFRM_SOCKET__NLMSG_WRITE },
>> @@ -115,7 +115,7 @@ struct nlmsg_perm {
>>         { XFRM_MSG_MAPPING,     NETLINK_XFRM_SOCKET__NLMSG_READ  },
>>  };
>>
>> -static struct nlmsg_perm nlmsg_audit_perms[] =
>> +static const struct nlmsg_perm nlmsg_audit_perms[] =
>>  {
>>         { AUDIT_GET,            NETLINK_AUDIT_SOCKET__NLMSG_READ     },
>>         { AUDIT_SET,            NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
>> @@ -136,7 +136,7 @@ struct nlmsg_perm {
>>  };
>>
>>
>> -static int nlmsg_perm(u16 nlmsg_type, u32 *perm, struct nlmsg_perm *tab, size_t tabsize)
>> +static int nlmsg_perm(u16 nlmsg_type, u32 *perm, const struct nlmsg_perm *tab, size_t tabsize)
>>  {
>>         int i, err = -EINVAL;
>>

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2017-02-28 21:15 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-02-13  5:35 [kernel-hardening] [RFC PATCH 4/4] selinux: constify nlmsg permission tables James Morris
2017-02-14  0:19 ` Paul Moore
2017-02-14  0:19   ` [kernel-hardening] " Paul Moore
2017-02-28 21:15   ` Paul Moore
2017-02-28 21:15     ` [kernel-hardening] " Paul Moore

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.