Re: [PATCH v2 3/4] selinux: use vma_is_initial_stack() and vma_is_initial_heap()
On Thu, Jul 20, 2023 at 4:28 AM Kefeng Wang wrote: > On 2023/7/19 23:25, Paul Moore wrote: > > On Wed, Jul 19, 2023 at 6:23 AM Kefeng Wang > > wrote: > >> On 2023/7/19 17:02, Christian Göttsche wrote: > >>> On Wed, 19 Jul 2023 at 09:40, Kefeng Wang > >>> wrote: > >>>> > >>>> Use the helpers to simplify code. > >>>> > >>>> Cc: Paul Moore > >>>> Cc: Stephen Smalley > >>>> Cc: Eric Paris > >>>> Acked-by: Paul Moore > >>>> Signed-off-by: Kefeng Wang > >>>> --- > >>>>security/selinux/hooks.c | 7 ++- > >>>>1 file changed, 2 insertions(+), 5 deletions(-) > >>>> > >>>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > >>>> index d06e350fedee..ee8575540a8e 100644 > >>>> --- a/security/selinux/hooks.c > >>>> +++ b/security/selinux/hooks.c > >>>> @@ -3762,13 +3762,10 @@ static int selinux_file_mprotect(struct > >>>> vm_area_struct *vma, > >>>> if (default_noexec && > >>>> (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { > >>>> int rc = 0; > >>>> - if (vma->vm_start >= vma->vm_mm->start_brk && > >>>> - vma->vm_end <= vma->vm_mm->brk) { > >>>> + if (vma_is_initial_heap(vma)) { > >>> > >>> This seems to change the condition from > >>> > >>> vma->vm_start >= vma->vm_mm->start_brk && vma->vm_end <= > >>> vma->vm_mm->brk > >>> > >>> to > >>> > >>> vma->vm_start <= vma->vm_mm->brk && vma->vm_end >= > >>> vma->vm_mm->start_brk > >>> > >>> (or AND arguments swapped) > >>> > >>> vma->vm_end >= vma->vm_mm->start_brk && vma->vm_start <= > >>> vma->vm_mm->brk > >>> > >>> Is this intended? > >> > >> The new condition is to check whether there is intersection between > >> [startbrk,brk] and [vm_start,vm_end], it contains orignal check, so > >> I think it is ok, but for selinux check, I am not sure if there is > >> some other problem. > > > > This particular SELinux vma check is see if the vma falls within the > > heap; can you confirm that this change preserves this? > > Yes, within is one case of new vma scope check. Thanks for the confirmation. -- paul-moore.com
Re: [PATCH v2 3/4] selinux: use vma_is_initial_stack() and vma_is_initial_heap()
On Wed, Jul 19, 2023 at 6:23 AM Kefeng Wang wrote: > On 2023/7/19 17:02, Christian Göttsche wrote: > > On Wed, 19 Jul 2023 at 09:40, Kefeng Wang > > wrote: > >> > >> Use the helpers to simplify code. > >> > >> Cc: Paul Moore > >> Cc: Stephen Smalley > >> Cc: Eric Paris > >> Acked-by: Paul Moore > >> Signed-off-by: Kefeng Wang > >> --- > >> security/selinux/hooks.c | 7 ++- > >> 1 file changed, 2 insertions(+), 5 deletions(-) > >> > >> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > >> index d06e350fedee..ee8575540a8e 100644 > >> --- a/security/selinux/hooks.c > >> +++ b/security/selinux/hooks.c > >> @@ -3762,13 +3762,10 @@ static int selinux_file_mprotect(struct > >> vm_area_struct *vma, > >> if (default_noexec && > >> (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { > >> int rc = 0; > >> - if (vma->vm_start >= vma->vm_mm->start_brk && > >> - vma->vm_end <= vma->vm_mm->brk) { > >> + if (vma_is_initial_heap(vma)) { > > > > This seems to change the condition from > > > > vma->vm_start >= vma->vm_mm->start_brk && vma->vm_end <= > > vma->vm_mm->brk > > > > to > > > > vma->vm_start <= vma->vm_mm->brk && vma->vm_end >= > > vma->vm_mm->start_brk > > > > (or AND arguments swapped) > > > > vma->vm_end >= vma->vm_mm->start_brk && vma->vm_start <= > > vma->vm_mm->brk > > > > Is this intended? > > The new condition is to check whether there is intersection between > [startbrk,brk] and [vm_start,vm_end], it contains orignal check, so > I think it is ok, but for selinux check, I am not sure if there is > some other problem. This particular SELinux vma check is see if the vma falls within the heap; can you confirm that this change preserves this? -- paul-moore.com
Re: [PATCH 4/5] selinux: use vma_is_stack() and vma_is_heap()
On Wed, Jul 12, 2023 at 10:25 AM Kefeng Wang wrote: > > Use the helpers to simplify code. > > Signed-off-by: Kefeng Wang > --- > security/selinux/hooks.c | 7 ++- > 1 file changed, 2 insertions(+), 5 deletions(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 4e46cf3d67b6..289ef2d6a427 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -3775,13 +3775,10 @@ static int selinux_file_mprotect(struct > vm_area_struct *vma, > if (default_noexec && > (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { > int rc = 0; > - if (vma->vm_start >= vma->vm_mm->start_brk && > - vma->vm_end <= vma->vm_mm->brk) { > + if (vma_is_heap(vma)) { > rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, > PROCESS__EXECHEAP, NULL); > - } else if (!vma->vm_file && > - ((vma->vm_start <= vma->vm_mm->start_stack && > -vma->vm_end >= vma->vm_mm->start_stack) || > + } else if (!vma->vm_file && vma_is_stack(vma) || > vma_is_stack_for_current(vma))) { With the parens fix that Andrew already provided. Acked-by: Paul Moore > rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, > PROCESS__EXECSTACK, NULL); > -- > 2.41.0 -- paul-moore.com
Re: [PATCH] [RFC v2] Drop all 00-INDEX files from Documentation/
On Mon, Sep 3, 2018 at 6:15 PM Henrik Austad wrote: > This is a respin with a wider audience (all that get_maintainer returned) > and I know this spams a *lot* of people. Not sure what would be the correct > way, so my apologies for ruining your inbox. > > The 00-INDEX files are supposed to give a summary of all files present > in a directory, but these files are horribly out of date and their > usefulness is brought into question. Often a simple "ls" would reveal > the same information as the filenames are generally quite descriptive as > a short introduction to what the file covers (it should not surprise > anyone what Documentation/sched/sched-design-CFS.txt covers) > > A few years back it was mentioned that these files were no longer really > needed, and they have since then grown further out of date, so perhaps > it is time to just throw them out. > > A short status yields the following _outdated_ 00-INDEX files, first > counter is files listed in 00-INDEX but missing in the directory, last > is files present but not listed in 00-INDEX. > > List of outdated 00-INDEX: > Documentation: (4/10) > Documentation/sysctl: (0/1) > Documentation/timers: (1/0) > Documentation/blockdev: (3/1) > Documentation/w1/slaves: (0/1) > Documentation/locking: (0/1) > Documentation/devicetree: (0/5) > Documentation/power: (1/1) > Documentation/powerpc: (0/5) > Documentation/arm: (1/0) > Documentation/x86: (0/9) > Documentation/x86/x86_64: (1/1) > Documentation/scsi: (4/4) > Documentation/filesystems: (2/9) > Documentation/filesystems/nfs: (0/2) > Documentation/cgroup-v1: (0/2) > Documentation/kbuild: (0/4) > Documentation/spi: (1/0) > Documentation/virtual/kvm: (1/0) > Documentation/scheduler: (0/2) > Documentation/fb: (0/1) > Documentation/block: (0/1) > Documentation/networking: (6/37) > Documentation/vm: (1/3) > > Then there are 364 subdirectories in Documentation/ with several files that > are missing 00-INDEX alltogether (and another 120 with a single file and no > 00-INDEX). > > I don't really have an opinion to whether or not we /should/ have 00-INDEX, > but the above 00-INDEX should either be removed or be kept up to date. If > we should keep the files, I can try to keep them updated, but I rather not > if we just want to delete them anyway. > > As a starting point, remove all index-files and references to 00-INDEX and > see where the discussion is going. > > Again, sorry for the insanely wide distribution. > > Signed-off-by: Henrik Austad ... > Signed-off-by: Henrik Austad > --- > Documentation/00-INDEX | 428 > ... Looks reasonable to me, you can add my ACK for the NetLabel bits. Acked-by: Paul Moore -- paul moore www.paul-moore.com ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
Re: [trivial PATCH] treewide: Align function definition open/close braces
On Sun, Dec 17, 2017 at 7:28 PM, Joe Perches <j...@perches.com> wrote: > Some functions definitions have either the initial open brace and/or > the closing brace outside of column 1. > > Move those braces to column 1. > > This allows various function analyzers like gnu complexity to work > properly for these modified functions. > > Miscellanea: > > o Remove extra trailing ; and blank line from xfs_agf_verify > > Signed-off-by: Joe Perches <j...@perches.com> > --- > git diff -w shows no difference other than the above 'Miscellanea' > > (this is against -next, but it applies against Linus' tree > with a couple offsets) > > arch/x86/include/asm/atomic64_32.h | 2 +- > drivers/acpi/custom_method.c | 2 +- > drivers/acpi/fan.c | 2 +- > drivers/gpu/drm/amd/display/dc/core/dc.c | 2 +- > drivers/media/i2c/msp3400-kthreads.c | 2 +- > drivers/message/fusion/mptsas.c | 2 +- > drivers/net/ethernet/qlogic/netxen/netxen_nic_init.c | 2 +- > drivers/net/wireless/ath/ath9k/xmit.c| 2 +- > drivers/platform/x86/eeepc-laptop.c | 2 +- > drivers/rtc/rtc-ab-b5ze-s3.c | 2 +- > drivers/scsi/dpt_i2o.c | 2 +- > drivers/scsi/sym53c8xx_2/sym_glue.c | 2 +- > fs/locks.c | 2 +- > fs/ocfs2/stack_user.c| 2 +- > fs/xfs/libxfs/xfs_alloc.c| 5 ++--- > fs/xfs/xfs_export.c | 2 +- > kernel/audit.c | 6 +++--- > kernel/trace/trace_printk.c | 4 ++-- > lib/raid6/sse2.c | 14 +++--- > sound/soc/fsl/fsl_dma.c | 2 +- > 20 files changed, 30 insertions(+), 31 deletions(-) For the audit bits ... Acked-by: Paul Moore <p...@paul-moore.com> -- paul moore www.paul-moore.com ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel