lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 11 Jan 2021 15:21:31 +0530
From:   pnagar@...eaurora.org
To:     Nick Desaulniers <ndesaulniers@...gle.com>
Cc:     arnd@...db.de, dsule@...eaurora.org, eparis@...isplace.org,
        jmorris@...ei.org, joe@...ches.com, linux-arch@...r.kernel.org,
        linux-kernel@...r.kernel.org,
        linux-security-module@...r.kernel.org, jeffv@...gle.com,
        nmardana@...eaurora.org, ojeda@...nel.org, paul@...l-moore.com,
        psodagud@...eaurora.org, selinux@...r.kernel.org, serge@...lyn.com,
        stephen.smalley.work@...il.com,
        ndesaulniers via sendgmr 
        <ndesaulniers@...saulniers1.mtv.corp.google.com>
Subject: Re: [RFC PATCH v2] selinux: security: Move selinux_state to a
 separate page

On 2021-01-09 06:31, Nick Desaulniers wrote:
> Via:
> https://lore.kernel.org/lkml/1610099389-28329-1-git-send-email-pnagar@codeaurora.org/
> 
>> diff --git a/include/linux/init.h b/include/linux/init.h
>> index 7b53cb3..617adcf 100644
>> --- a/include/linux/init.h
>> +++ b/include/linux/init.h
>> @@ -300,6 +300,10 @@ void __init parse_early_options(char *cmdline);
>>  /* Data marked not to be saved by software suspend */
>>  #define __nosavedata __section(".data..nosave")
>> 
>> +#ifdef CONFIG_SECURITY_RTIC
>> +#define __rticdata  __section(".bss.rtic")
> 
> if you put:
> 
> #else
> #define __rticdata
> 
> here, then you wouldn't need to label each datum you put in there.
> 
>> +#endif
>> +
>>  #ifdef MODULE
>>  #define __exit_p(x) x
>>  #else
> 
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -104,7 +104,11 @@
>>  #include "audit.h"
>>  #include "avc_ss.h"
>> 
>> +#ifdef CONFIG_SECURITY_RTIC
>> +struct selinux_state selinux_state __rticdata;
>> +#else
>>  struct selinux_state selinux_state;
>> +#endif
> 
> so you could then drop the if-def here.
Will update this in next version, thank you for the suggestion.

> Happy to see this resolved when building with LLD+LTO, which has been a
> problem in the past.
Yes, downstream we have this verified with LTO configs enabled. Let us 
know if
you are suggesting to check anything additionally here.

> Disabling selinux is a common attack vector on Android devices, so 
> happy
> to see some effort towards mitigation.  You might want to communicate
> the feature more to existing OEMs that are using your chipsets that
> support this feature.
Glad to know the idea looks good! Yes, we will work on that, will 
communicate
internally as well, thank you.

Powered by blists - more mailing lists