[PATCH][RFC] selinuxns: mark init_selinux_ns as __ro_after_init

[James Morris <james.l.morris@xxxxxxxxxx>]

This is a patch against the SELinux namespace work.

Mark the initial SELinux namespace pointer as __ro_after_init, to harden 
against malicious overwrite by an attacker.

Signed-off-by: James Morris <james.l.morris@xxxxxxxxxx>
---
 security/selinux/hooks.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3daad14..98dbf57 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -97,7 +97,7 @@
 #include "audit.h"
 #include "avc_ss.h"
 
-struct selinux_ns *init_selinux_ns;
+struct selinux_ns *init_selinux_ns __ro_after_init;
 
 /* SECMARK reference count */
 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
-- 
1.8.3.1


-- 
James Morris
<james.l.morris@xxxxxxxxxx>