Re: [PATCH v2 3/4] selinux: use vma_is_initial_stack() and vma_is_initial_heap()
On Thu, Jul 20, 2023 at 4:28 AM Kefeng Wang wrote:
> On 2023/7/19 23:25, Paul Moore wrote:
> > On Wed, Jul 19, 2023 at 6:23 AM Kefeng Wang
> > wrote:
> >> On 2023/7/19 17:02, Christian Göttsche wrote:
> >>> On Wed, 19 Jul 2023 at 09:40, Kefeng Wang
> >>> wrote:
> >>>>
> >>>> Use the helpers to simplify code.
> >>>>
> >>>> Cc: Paul Moore
> >>>> Cc: Stephen Smalley
> >>>> Cc: Eric Paris
> >>>> Acked-by: Paul Moore
> >>>> Signed-off-by: Kefeng Wang
> >>>> ---
> >>>>security/selinux/hooks.c | 7 ++-
> >>>>1 file changed, 2 insertions(+), 5 deletions(-)
> >>>>
> >>>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> >>>> index d06e350fedee..ee8575540a8e 100644
> >>>> --- a/security/selinux/hooks.c
> >>>> +++ b/security/selinux/hooks.c
> >>>> @@ -3762,13 +3762,10 @@ static int selinux_file_mprotect(struct
> >>>> vm_area_struct *vma,
> >>>> if (default_noexec &&
> >>>> (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
> >>>> int rc = 0;
> >>>> - if (vma->vm_start >= vma->vm_mm->start_brk &&
> >>>> - vma->vm_end <= vma->vm_mm->brk) {
> >>>> + if (vma_is_initial_heap(vma)) {
> >>>
> >>> This seems to change the condition from
> >>>
> >>> vma->vm_start >= vma->vm_mm->start_brk && vma->vm_end <=
> >>> vma->vm_mm->brk
> >>>
> >>> to
> >>>
> >>> vma->vm_start <= vma->vm_mm->brk && vma->vm_end >=
> >>> vma->vm_mm->start_brk
> >>>
> >>> (or AND arguments swapped)
> >>>
> >>> vma->vm_end >= vma->vm_mm->start_brk && vma->vm_start <=
> >>> vma->vm_mm->brk
> >>>
> >>> Is this intended?
> >>
> >> The new condition is to check whether there is intersection between
> >> [startbrk,brk] and [vm_start,vm_end], it contains orignal check, so
> >> I think it is ok, but for selinux check, I am not sure if there is
> >> some other problem.
> >
> > This particular SELinux vma check is see if the vma falls within the
> > heap; can you confirm that this change preserves this?
>
> Yes, within is one case of new vma scope check.
Thanks for the confirmation.
--
paul-moore.com
Re: [PATCH v2 3/4] selinux: use vma_is_initial_stack() and vma_is_initial_heap()
On Wed, Jul 19, 2023 at 6:23 AM Kefeng Wang wrote:
> On 2023/7/19 17:02, Christian Göttsche wrote:
> > On Wed, 19 Jul 2023 at 09:40, Kefeng Wang
> > wrote:
> >>
> >> Use the helpers to simplify code.
> >>
> >> Cc: Paul Moore
> >> Cc: Stephen Smalley
> >> Cc: Eric Paris
> >> Acked-by: Paul Moore
> >> Signed-off-by: Kefeng Wang
> >> ---
> >> security/selinux/hooks.c | 7 ++-
> >> 1 file changed, 2 insertions(+), 5 deletions(-)
> >>
> >> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> >> index d06e350fedee..ee8575540a8e 100644
> >> --- a/security/selinux/hooks.c
> >> +++ b/security/selinux/hooks.c
> >> @@ -3762,13 +3762,10 @@ static int selinux_file_mprotect(struct
> >> vm_area_struct *vma,
> >> if (default_noexec &&
> >> (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
> >> int rc = 0;
> >> - if (vma->vm_start >= vma->vm_mm->start_brk &&
> >> - vma->vm_end <= vma->vm_mm->brk) {
> >> + if (vma_is_initial_heap(vma)) {
> >
> > This seems to change the condition from
> >
> > vma->vm_start >= vma->vm_mm->start_brk && vma->vm_end <=
> > vma->vm_mm->brk
> >
> > to
> >
> > vma->vm_start <= vma->vm_mm->brk && vma->vm_end >=
> > vma->vm_mm->start_brk
> >
> > (or AND arguments swapped)
> >
> > vma->vm_end >= vma->vm_mm->start_brk && vma->vm_start <=
> > vma->vm_mm->brk
> >
> > Is this intended?
>
> The new condition is to check whether there is intersection between
> [startbrk,brk] and [vm_start,vm_end], it contains orignal check, so
> I think it is ok, but for selinux check, I am not sure if there is
> some other problem.
This particular SELinux vma check is see if the vma falls within the
heap; can you confirm that this change preserves this?
--
paul-moore.com
Re: [PATCH 4/5] selinux: use vma_is_stack() and vma_is_heap()
On Wed, Jul 12, 2023 at 10:25 AM Kefeng Wang wrote:
>
> Use the helpers to simplify code.
>
> Signed-off-by: Kefeng Wang
> ---
> security/selinux/hooks.c | 7 ++-
> 1 file changed, 2 insertions(+), 5 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 4e46cf3d67b6..289ef2d6a427 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -3775,13 +3775,10 @@ static int selinux_file_mprotect(struct
> vm_area_struct *vma,
> if (default_noexec &&
> (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
> int rc = 0;
> - if (vma->vm_start >= vma->vm_mm->start_brk &&
> - vma->vm_end <= vma->vm_mm->brk) {
> + if (vma_is_heap(vma)) {
> rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
> PROCESS__EXECHEAP, NULL);
> - } else if (!vma->vm_file &&
> - ((vma->vm_start <= vma->vm_mm->start_stack &&
> -vma->vm_end >= vma->vm_mm->start_stack) ||
> + } else if (!vma->vm_file && vma_is_stack(vma) ||
> vma_is_stack_for_current(vma))) {
With the parens fix that Andrew already provided.
Acked-by: Paul Moore
> rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
> PROCESS__EXECSTACK, NULL);
> --
> 2.41.0
--
paul-moore.com
Re: [PATCH] [RFC v2] Drop all 00-INDEX files from Documentation/
On Mon, Sep 3, 2018 at 6:15 PM Henrik Austad wrote: > This is a respin with a wider audience (all that get_maintainer returned) > and I know this spams a *lot* of people. Not sure what would be the correct > way, so my apologies for ruining your inbox. > > The 00-INDEX files are supposed to give a summary of all files present > in a directory, but these files are horribly out of date and their > usefulness is brought into question. Often a simple "ls" would reveal > the same information as the filenames are generally quite descriptive as > a short introduction to what the file covers (it should not surprise > anyone what Documentation/sched/sched-design-CFS.txt covers) > > A few years back it was mentioned that these files were no longer really > needed, and they have since then grown further out of date, so perhaps > it is time to just throw them out. > > A short status yields the following _outdated_ 00-INDEX files, first > counter is files listed in 00-INDEX but missing in the directory, last > is files present but not listed in 00-INDEX. > > List of outdated 00-INDEX: > Documentation: (4/10) > Documentation/sysctl: (0/1) > Documentation/timers: (1/0) > Documentation/blockdev: (3/1) > Documentation/w1/slaves: (0/1) > Documentation/locking: (0/1) > Documentation/devicetree: (0/5) > Documentation/power: (1/1) > Documentation/powerpc: (0/5) > Documentation/arm: (1/0) > Documentation/x86: (0/9) > Documentation/x86/x86_64: (1/1) > Documentation/scsi: (4/4) > Documentation/filesystems: (2/9) > Documentation/filesystems/nfs: (0/2) > Documentation/cgroup-v1: (0/2) > Documentation/kbuild: (0/4) > Documentation/spi: (1/0) > Documentation/virtual/kvm: (1/0) > Documentation/scheduler: (0/2) > Documentation/fb: (0/1) > Documentation/block: (0/1) > Documentation/networking: (6/37) > Documentation/vm: (1/3) > > Then there are 364 subdirectories in Documentation/ with several files that > are missing 00-INDEX alltogether (and another 120 with a single file and no > 00-INDEX). > > I don't really have an opinion to whether or not we /should/ have 00-INDEX, > but the above 00-INDEX should either be removed or be kept up to date. If > we should keep the files, I can try to keep them updated, but I rather not > if we just want to delete them anyway. > > As a starting point, remove all index-files and references to 00-INDEX and > see where the discussion is going. > > Again, sorry for the insanely wide distribution. > > Signed-off-by: Henrik Austad ... > Signed-off-by: Henrik Austad > --- > Documentation/00-INDEX | 428 > ... Looks reasonable to me, you can add my ACK for the NetLabel bits. Acked-by: Paul Moore -- paul moore www.paul-moore.com ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
Re: [trivial PATCH] treewide: Align function definition open/close braces
On Sun, Dec 17, 2017 at 7:28 PM, Joe Perches <j...@perches.com> wrote: > Some functions definitions have either the initial open brace and/or > the closing brace outside of column 1. > > Move those braces to column 1. > > This allows various function analyzers like gnu complexity to work > properly for these modified functions. > > Miscellanea: > > o Remove extra trailing ; and blank line from xfs_agf_verify > > Signed-off-by: Joe Perches <j...@perches.com> > --- > git diff -w shows no difference other than the above 'Miscellanea' > > (this is against -next, but it applies against Linus' tree > with a couple offsets) > > arch/x86/include/asm/atomic64_32.h | 2 +- > drivers/acpi/custom_method.c | 2 +- > drivers/acpi/fan.c | 2 +- > drivers/gpu/drm/amd/display/dc/core/dc.c | 2 +- > drivers/media/i2c/msp3400-kthreads.c | 2 +- > drivers/message/fusion/mptsas.c | 2 +- > drivers/net/ethernet/qlogic/netxen/netxen_nic_init.c | 2 +- > drivers/net/wireless/ath/ath9k/xmit.c| 2 +- > drivers/platform/x86/eeepc-laptop.c | 2 +- > drivers/rtc/rtc-ab-b5ze-s3.c | 2 +- > drivers/scsi/dpt_i2o.c | 2 +- > drivers/scsi/sym53c8xx_2/sym_glue.c | 2 +- > fs/locks.c | 2 +- > fs/ocfs2/stack_user.c| 2 +- > fs/xfs/libxfs/xfs_alloc.c| 5 ++--- > fs/xfs/xfs_export.c | 2 +- > kernel/audit.c | 6 +++--- > kernel/trace/trace_printk.c | 4 ++-- > lib/raid6/sse2.c | 14 +++--- > sound/soc/fsl/fsl_dma.c | 2 +- > 20 files changed, 30 insertions(+), 31 deletions(-) For the audit bits ... Acked-by: Paul Moore <p...@paul-moore.com> -- paul moore www.paul-moore.com ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
