Re: [PATCH] mm/nommu.c: Fix improperly call of security API in mmap

All of lore.kernel.org
 help / color / mirror / Atom feed

From: John Johansen <john.johansen@canonical.com>
To: Eric Paris <eparis@redhat.com>
Cc: David Howells <dhowells@redhat.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	graff.yang@gmail.com, linux-kernel@vger.kernel.org,
	gyang@blackfin.uclinux.org,
	uclinux-dist-devel@blackfin.uclinux.org,
	Graff Yang <graf.yang@analog.com>,
	linux-security-module@vger.kernel.org,
	john.johansen@canonical.com
Subject: Re: [PATCH] mm/nommu.c: Fix improperly call of security API in mmap
Date: Mon, 23 Nov 2009 02:10:21 -0800	[thread overview]
Message-ID: <4B0A5F8D.6090707@canonical.com> (raw)
In-Reply-To: <1258820146.2916.56.camel@dhcp231-106.rdu.redhat.com>

Eric Paris wrote:
> On Sat, 2009-11-21 at 00:16 +0000, David Howells wrote:
>> Eric Paris <eparis@redhat.com> wrote:
>>
>>> +/* sec_flags for security_file_mmap */
>>> +#define SECURITY_MMAP_ADDR_ONLY	0x01
>>> +#define SECURITY_MMAP_NOT_ADDR	0x02
>> Please add comments to these to indicate what they're intended to convey.
>> Would ADDR_ONLY be better as EXACT_ADDR?
> 
> I think I should point out that this hook checks 2 things.  Originally
> it was only used to check if a file should be allowed to be mmaped.  It
> was later enhanced to check if the return address of mmap, if it is file
> backed or anonymous, is acceptable.  These flags only influence the
> later.
> 
> ADDR_ONLY means the security system should only check the address.
> NOT_ADDR means they security system should not check the address.
> 
> You need ADDR_ONLY when the hook is called on map that is not file
> backed or where that has already been dealt with.  You need NOT_ADDR
> only for nommu where the whole idea of mmap_min_addr is pointless.
> 
> I'm not sure what comments would convey....
> 
> /* security hook should only check the address */
> #define SECURITY_MMAP_ADDR_ONLY	0x01
> /* security hook should not check the address */
> #define SECURITY_MMAP_NOT_ADDR	0x02
> 
> Does that add something?
> 
> Still haven't heard where people scream they absolutely need this today,
> so I'm going to ask James to carry it in his for-next tree.
> 
The comments convey a tad more but I don't think they are necessary, and
I concur, it would be good if it went into the for-next tree.

next prev parent reply	other threads:[~2009-11-23 10:10 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-10-14 10:28 [PATCH] mm/nommu.c: Fix improperly call of security API in mmap graff.yang
2009-10-14 14:08 ` David Howells
2009-10-15  2:21   ` graff yang
2009-10-15  3:45     ` graff yang
2009-10-15  7:07       ` David Howells
2009-10-16  7:06   ` [Uclinux-dist-devel] " Mike Frysinger
2009-10-16 15:01   ` Eric Paris
2009-10-16 15:14     ` David Howells
2009-10-16 15:21       ` Eric Paris
2009-10-16 15:43         ` David Howells
2009-10-16 15:55           ` Eric Paris
2009-11-17 22:13             ` Andrew Morton
2009-11-17 23:24               ` Mike Frysinger
2009-11-18 21:10               ` Eric Paris
2009-11-20 15:00               ` David Howells
2009-11-20 17:42                 ` Andrew Morton
2009-11-20 17:54                   ` David Howells
2009-11-20 19:32                     ` Eric Paris
2009-11-20 19:50                       ` Andrew Morton
2009-11-20 19:58                         ` Eric Paris
2009-11-21  0:16                       ` David Howells
2009-11-21 16:15                         ` Eric Paris
2009-11-23 10:10                           ` John Johansen [this message]
2009-10-16 15:43       ` [Uclinux-dist-devel] " Mike Frysinger

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4B0A5F8D.6090707@canonical.com \
    --to=john.johansen@canonical.com \
    --cc=akpm@linux-foundation.org \
    --cc=dhowells@redhat.com \
    --cc=eparis@redhat.com \
    --cc=graf.yang@analog.com \
    --cc=graff.yang@gmail.com \
    --cc=gyang@blackfin.uclinux.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=uclinux-dist-devel@blackfin.uclinux.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.