On 7/17/2023 1:13 PM, Paul Moore wrote:
> On Mon, Jul 10, 2023 at 4:25 AM Leesoo Ahn <lsahn@xxxxxxxxxx> wrote:
>> The major part, the conditional branch in selinux_mmap_addr() is always to be
>> false so long as CONFIG_LSM_MMAP_MIN_ADDR is set to zero at compile time.
>>
>> This usually happens in some linux distros, for instance Ubuntu, which
>> the config is set to zero in release version. Therefore it could be a bit
>> optimized with '#if <expr>' at compile time.
>>
>> Signed-off-by: Leesoo Ahn <lsahn@xxxxxxxxxxxxxx>
>> ---
>> security/selinux/hooks.c | 2 ++
>> 1 file changed, 2 insertions(+)
> First, I agree with Stephen's comments that you should ask your distro
> (you mentioned Debian) to move MIN_ADDR higher. Beyond that, I have
> one request, see below ...
>
>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index d06e350fedee..a049aab6524b 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -3723,11 +3723,13 @@ static int selinux_mmap_addr(unsigned long addr)
>> {
>> int rc = 0;
>>
>> +#if CONFIG_LSM_MMAP_MIN_ADDR > 0
>> if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
>> u32 sid = current_sid();
>> rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
>> MEMPROTECT__MMAP_ZERO, NULL);
>> }
>> +#endif
>>
>> return rc;
>> }
> Pre-processor conditionals inside a function are generally something
> we don't recommend. In this case I would suggest doing something like
> this:
>
> #if (MMAP_MIN_ADDR > 0)
> static int selinux_mmap_addr(...)
> {
> /* current func definition */
> }
> #else /* MMAP_MIN_ADDR > 0 */
> static int selinux_mmap_addr(...)
> {
> return 0;
> }
> #endif /* MMAP_MIN_ADDR > 0 */
Better yet, skip the #else here and #if out the LSM_HOOK_INIT(mmap_addr, ...).
No hook at all is faster than a hook that does nothing.
