From: Alexander Grund <theflamefire89@gmail.com>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: stable@vger.kernel.org,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Subject: Re: [PATCH 4.9 1/1] LSM: Initialize security_hook_heads upon registration.
Date: Fri, 12 Aug 2022 12:50:42 +0200 [thread overview]
Message-ID: <da7d4c6f-0010-6f77-e64e-20f3ebfb57dd@gmail.com> (raw)
In-Reply-To: <YvTzZM499PnOTMZD@kroah.com>
On 11.08.22 14:17, Greg KH wrote:
> As this fixes no bug or real issue that anyone is having with 4.9, why
> is this needed?
This makes it easier to maintain the kernel by removing error-prone code.
I mentioned this patch earlier and you seemed to be interested to at least
have a look at [1].
An example where this turns out to be useful is backporting the fix
for CVE-2021-39686 (see the ASB[2]). That relies on a new hook (see [3]) which
is much easier to add with the simplification done in this patch.
Without this patch the patch with the new hook applies cleanly but the kernel
then fails due to an uninitialized hook list head.
This doesn't apply to the upstream 4.x branches directly but only to the
Android branches as Google seemingly backported some 5.x security features, e.g.
ec74136ded792 "binder: create node flag to request sender's security context"
> What devices and users would benefit from this that would need it for
> the next 5 months only before they move to 4.14.y? And why aren't those
> users on 4.14.y already?
The 4.9.y branch is also used by the Civil Infrastructure Project (CIP) to maintain
a SLTS (Super Long Term Support) 4.4.y branch which is e.g. used by a community
maintaining alternative Android builds for devices no longer supported by their
vendors.
Given that there is a community extending the lifetime of the 4.4.y LTS branch it
is reasonable to assume that there are many other devices besides mine that still
use the 4.4.y branch and benefit from the change to 4.9.y which will then be backported
to 4.4.y by the CIP. And in extension one can assume that 4.9.y is and will be used
for some devices where moving to 4.14.y is not feasible due to e.g. proprietary
interfaces or simply the amount of work required to reapply all modifications
from e.g. Android/Google and different vendors to a newer kernel given that maintainers
of such devices are often very limited in resources and time.
Regards,
Alex
[1] https://lore.kernel.org/all/YsrKlIEV2ytKcWb8@kroah.com/
[2] https://source.android.com/security/bulletin/2022-03-01#kernel-components-05
[3] https://lore.kernel.org/all/20171026084055.25482-1-mjg59@google.com/
next prev parent reply other threads:[~2022-08-12 10:50 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-11 11:53 [PATCH 4.9 0/1] LSM: Initialize security_hook_heads upon registration Alexander Grund
2022-08-11 11:53 ` [PATCH 4.9 1/1] " Alexander Grund
2022-08-11 12:17 ` Greg KH
2022-08-12 10:50 ` Alexander Grund [this message]
2022-08-15 12:04 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=da7d4c6f-0010-6f77-e64e-20f3ebfb57dd@gmail.com \
--to=theflamefire89@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox