On Mon, 2017-10-16 at 17:44 +1100, James Morris wrote: > This is a patch against the SELinux namespace work. > > Mark the initial SELinux namespace pointer as __ro_after_init, to > harden > against malicious overwrite by an attacker. > > Signed-off-by: James Morris <james.l.morris@xxxxxxxxxx> Thanks, this looks fine; I can apply it on my branch if you want. Note however that at this point, I am looking more for design discussion and resolution of the problems noted in the patch descriptions for the existing patches, and anticipate many of those patches being substantially rewritten or discarded in any final versiopn. This particular patch however could likely be rebased on top of the first patch in the series and wouldn't be affected by such changes. > --- > security/selinux/hooks.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 3daad14..98dbf57 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -97,7 +97,7 @@ > #include "audit.h" > #include "avc_ss.h" > > -struct selinux_ns *init_selinux_ns; > +struct selinux_ns *init_selinux_ns __ro_after_init; > > /* SECMARK reference count */ > static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); > -- > 1.8.3.1 > >