On Thu, Feb 20, 2020 at 06:52:46PM +0100, KP Singh wrote:
> index aa111392a700..569cc07d5e34 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -804,6 +804,13 @@ int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
> break;
> }
> }
> +#ifdef CONFIG_BPF_LSM
> + if (HAS_BPF_LSM_PROG(vm_enough_memory)) {
> + rc = bpf_lsm_vm_enough_memory(mm, pages);
> + if (rc <= 0)
> + cap_sys_admin = 0;
> + }
> +#endif
This pattern of using #ifdef in code is not considered best practice.
Using in-code IS_ENABLED(CONFIG_BPF_LSM) is preferred. But since this
pattern always uses HAS_BPF_LSM_PROG(), you could fold the
IS_ENABLED() into the definition of HAS_BPF_LSM_PROG itself -- or more
likely, have the macro defined as:
#ifdef CONFIG_BPF_LSM
# define HAS_BPF_LSM_PROG(x) ....existing implementation....
#else
# define HAS_BPF_LSM_PROG(x) false
#endif
Then none of these ifdefs are needed.
--
Kees Cook
