3.2-rc1 rebase review
Tetsuo Handa
from-ubuntu at I-love.SAKURA.ne.jp
Wed Nov 9 13:50:27 UTC 2011
Kees Cook wrote:
> > UBUNTU: ubuntu: Yama - unconditionally chain to Yama LSM
>
> http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-precise.git;a=commitdiff;h=336823e68877aeaea2b3ec680671612e10770616
>
> Looks correct to me. And any runs of the qrt test-kernel-hardening.py
> regression test will catch it if it's not operating correctly.
Please use
+#ifdef CONFIG_SECURITY_YAMA
rather than
+#if CONFIG_SECURITY_YAMA
.
BTW, if Yama is unconditionally chained as long as CONFIG_SECURITY_YAMA=y,
why do we want
+ if (!security_module_enable(&yama_ops))
+ return 0;
+
+ if (register_security(&yama_ops))
+ panic("Yama: kernel registration failed.\n");
at yama_init()?
By removing these lines, we can change from
+ if (rc || security_ops->ptrace_access_check == yama_ptrace_access_check)
+ if (rc || security_ops->path_link == yama_path_link)
+ if (rc || security_ops->inode_follow_link == yama_inode_follow_link)
to
+ if (rc)
and change from
+ if (rc != -ENOSYS || security_ops->task_prctl == yama_task_prctl)
to
+ if (rc != -ENOSYS)
and remove
+ if (security_ops->task_free == yama_task_free)
+ return;
because passing security=yama causes default capability hooks (which are no-op)
to be called after yama hooks are called.
More information about the kernel-team
mailing list