Re: [PATCH 4.9 1/1] LSM: Initialize security_hook_heads upon registration.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 11.08.22 14:17, Greg KH wrote:
> As this fixes no bug or real issue that anyone is having with 4.9, why
> is this needed?

This makes it easier to maintain the kernel by removing error-prone code.
I mentioned this patch earlier and you seemed to be interested to at least
have a look at [1].
An example where this turns out to be useful is backporting the fix
for CVE-2021-39686 (see the ASB[2]). That relies on a new hook (see [3]) which
is much easier to add with the simplification done in this patch.
Without this patch the patch with the new hook applies cleanly but the kernel
then fails due to an uninitialized hook list head.
This doesn't apply to the upstream 4.x branches directly but only to the 
Android branches as Google seemingly backported some 5.x security features, e.g.
ec74136ded792 "binder: create node flag to request sender's security context"
 
> What devices and users would benefit from this that would need it for
> the next 5 months only before they move to 4.14.y?  And why aren't those
> users on 4.14.y already?

The 4.9.y branch is also used by the Civil Infrastructure Project (CIP) to maintain
a SLTS (Super Long Term Support) 4.4.y branch which is e.g. used by a community
maintaining alternative Android builds for devices no longer supported by their
vendors.
Given that there is a community extending the lifetime of the 4.4.y LTS branch it
is reasonable to assume that there are many other devices besides mine that still
use the 4.4.y branch and benefit from the change to 4.9.y which will then be backported
to 4.4.y by the CIP. And in extension one can assume that 4.9.y is and will be used
for some devices where moving to 4.14.y is not feasible due to e.g. proprietary
interfaces or simply the amount of work required to reapply all modifications
from e.g. Android/Google and different vendors to a newer kernel given that maintainers
of such devices are often very limited in resources and time.

Regards,
Alex

[1] https://lore.kernel.org/all/YsrKlIEV2ytKcWb8@xxxxxxxxx/
[2] https://source.android.com/security/bulletin/2022-03-01#kernel-components-05
[3] https://lore.kernel.org/all/20171026084055.25482-1-mjg59@xxxxxxxxxx/
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux