lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3278.1186889947@ocs10w.ocs.com.au>
Date:	Sun, 12 Aug 2007 13:39:07 +1000
From:	Keith Owens <kaos@....com.au>
To:	casey@...aufler-ca.com
cc:	Arjan van de Ven <arjan@...radead.org>,
	linux-security-module@...r.kernel.org,
	linux-kernel@...r.kernel.org, akpm@...l.org, torvalds@...l.org
Subject: Re: [PATCH] Smack: Simplified Mandatory Access Control Kernel 

Casey Schaufler (on Sat, 11 Aug 2007 12:56:42 -0700 (PDT)) wrote:
>
>--- Arjan van de Ven <arjan@...radead.org> wrote:
>> > +#include <linux/kernel.h>
>> > +#include <linux/vmalloc.h>
>> > +#include <linux/security.h>
>> > +#include <linux/mutex.h>
>> > +#include <net/netlabel.h>
>> > +#include "../../net/netlabel/netlabel_domainhash.h"
>> 
>> can't you move this header to include/ instead?
>
>Paul Moore, the developer of netlabel, promised to work out
>the right solution for this with me at a future date. He
>doesn't want to move the header, and I respect that.

foo.c has

#include "netlabel_domainhash.h"

Makefile has CFLAGS_foo.o += -I$(srctree)/net/netlabel

I prefer to use -I $(srctree)/net/netlabel for readability but '-I '
breaks on SuSE builds for some reason that I cannot be bothered working
out.  -I$(srctree)/net/netlabel works.

>> > +	doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL);
>> > +	if (doip == NULL)
>> > +		panic("smack:  Failed to initialize cipso DOI.\n");
>> > +	doip->map.std = NULL;
>> > +
>> > +	ndmp = kmalloc(sizeof(struct netlbl_dom_map), GFP_KERNEL);
>> > +	if (ndmp == NULL)
>> > +		panic("smack:  Failed to initialize cipso ndmp.\n");
>> 
>> 
>> is panic() really the right thing here? It's usually considered quite
>> rude ;)
>
>It's really early in start-up and if you're out of memory at that
>point you are not going very far into the future.

Not to mention that you might end up running with an insecure system.
Security must be failsafe.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ