| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 20 Dec 2018 15:30:01 -0200
From: Thiago Jung Bauermann <bauerman@...ux.ibm.com>
To: Igor Stoppa <igor.stoppa@...il.com>
Cc: Andy Lutomirski <luto@...capital.net>,
Matthew Wilcox <willy@...radead.org>,
Peter Zijlstra <peterz@...radead.org>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Mimi Zohar <zohar@...ux.vnet.ibm.com>, igor.stoppa@...wei.com,
Nadav Amit <nadav.amit@...il.com>,
Kees Cook <keescook@...omium.org>,
linux-integrity@...r.kernel.org,
kernel-hardening@...ts.openwall.com, linux-mm@...ck.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH 11/12] IMA: turn ima_policy_flags into __wr_after_init
Hello Igor,
Igor Stoppa <igor.stoppa@...il.com> writes:
> diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
> index 59d834219cd6..5f4e13e671bf 100644
> --- a/security/integrity/ima/ima_init.c
> +++ b/security/integrity/ima/ima_init.c
> @@ -21,6 +21,7 @@
> #include <linux/scatterlist.h>
> #include <linux/slab.h>
> #include <linux/err.h>
> +#include <linux/prmem.h>
>
> #include "ima.h"
>
> @@ -98,9 +99,9 @@ void __init ima_load_x509(void)
> {
> int unset_flags = ima_policy_flag & IMA_APPRAISE;
>
> - ima_policy_flag &= ~unset_flags;
> + wr_assign(ima_policy_flag, ima_policy_flag & ~unset_flags);
> integrity_load_x509(INTEGRITY_KEYRING_IMA, CONFIG_IMA_X509_PATH);
> - ima_policy_flag |= unset_flags;
> + wr_assign(ima_policy_flag, ima_policy_flag | unset_flags);
> }
> #endif
In the cover letter, you said:
> As the name implies, the write protection kicks in only after init()
> is completed; before that moment, the data is modifiable in the usual
> way.
Given that, is it still necessary or useful to use wr_assign() in a
function marked with __init?
--
Thiago Jung Bauermann
IBM Linux Technology Center
Powered by blists - more mailing lists