This is a patch against the SELinux namespace work. Mark the initial SELinux namespace pointer as __ro_after_init, to harden against malicious overwrite by an attacker.
Signed-off-by: James Morris <james.l.mor...@oracle.com> --- security/selinux/hooks.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3daad14..98dbf57 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -97,7 +97,7 @@ #include "audit.h" #include "avc_ss.h" -struct selinux_ns *init_selinux_ns; +struct selinux_ns *init_selinux_ns __ro_after_init; /* SECMARK reference count */ static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); -- 1.8.3.1 -- James Morris <james.l.mor...@oracle.com>
