On Mon, Sep 18, 2023 at 11:24:58PM +0200, KP Singh wrote:
> [...]
> +void bpf_lsm_toggle_hook(void *addr, bool value)
> +{
> + struct lsm_static_call *scalls;
> + struct security_hook_list *h;
> + int i, j;
> +
> + for (i = 0; i < ARRAY_SIZE(bpf_lsm_hooks); i++) {
> + h = &bpf_lsm_hooks[i];
> + scalls = h->scalls;
> + if (h->hook.lsm_callback == addr)
> + continue;
> +
> + for (j = 0; j < MAX_LSM_COUNT; j++) {
> + if (scalls[j].hl != h)
> + continue;
> + if (value)
> + static_branch_enable(scalls[j].active);
> + else
> + static_branch_disable(scalls[j].active);
> + }
> + }
> +}
And this happily works with everything being read-only? I double-checked
these structures, and it seems like the answer is "yes". :)
So, to that end:
Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
--
Kees Cook
