KS2010: Security

Posted Nov 6, 2010 9:52 UTC (Sat) by Lionel_Debroux (subscriber, #30014)
In reply to: KS2010: Security by PaXTeam
Parent article: KS2010: Security

Ah, I don't know why I somehow thought the constification was made using the "simple/ugly" script mentioned by Brad in http://lwn.net/Articles/346299/ . It's all good if the patches are created with Coccinelle.
Thanks for the clarification :)

I haven't seen any reply about the broken-out form, if any, of the large grsecurity patch ?

KS2010: Security

Posted Nov 6, 2010 11:19 UTC (Sat) by PaXTeam (guest, #24616) [Link]

> Ah, I don't know why I somehow thought the constification was made using the "simple/ugly" script mentioned by Brad

multiple people worked on this over time with different methods and eventually there was some evolution in that coccinelle proved smarter than grep/sed ;). note that it's still not all roses as according to Emese coccinelle has (or used to have, i'm not following this nowadays) some limitation in how it parsed include files (no recursion was the big problem, iirc) so when you do not only want to generate patches for specific structures but also want coccinelle to determine which ones could be constified at all automatically, then you'll have some extra work to do (or find/write another tool). and you'll want this level of automated help as checking every usage of those 200 ops structure types by hand is anything but fun (and no, compiling allyesconfig/allmodfconfig doesn't necessarily give you 100% coverage).

> I haven't seen any reply about the broken-out form, if any, of the large grsecurity patch ?

because there's no such thing, at most the const patches exist standalone but not the rest.