26 May, 2023
1 commit
-
A random collection of spelling fixes for source files in the LSM
layer.Reviewed-by: Casey Schaufler
Signed-off-by: Paul Moore
18 Mar, 2023
1 commit
-
We can change unix_sk() to propagate its argument const qualifier,
thanks to container_of_const().We need to change dump_common_audit_data() 'struct unix_sock *u'
local var to get a const attribute.Signed-off-by: Eric Dumazet
Reviewed-by: Simon Horman
Signed-off-by: David S. Miller
17 Mar, 2023
1 commit
-
We can change inet_sk() to propagate const qualifier of its argument.
This should avoid some potential errors caused by accidental
(const -> not_const) promotion.Other helpers like tcp_sk(), udp_sk(), raw_sk() will be handled
in separate patch series.v2: use container_of_const() as advised by Jakub and Linus
Signed-off-by: Eric Dumazet
Link: https://lore.kernel.org/netdev/20230315142841.3a2ac99a@kernel.org/
Link: https://lore.kernel.org/netdev/CAHk-=wiOf12nrYEF2vJMcucKjWPN-Ns_SW9fA7LwST_2Dzp7rw@mail.gmail.com/
Signed-off-by: David S. Miller
28 Oct, 2022
1 commit
-
The current code provokes some kernel-doc warnings:
security/lsm_audit.c:198: warning: Function parameter or member
'ab' not described in 'dump_common_audit_data'Signed-off-by: Bo Liu
[PM: description line wrap]
Signed-off-by: Paul Moore
16 Aug, 2022
1 commit
-
The implements of {ip,tcp,udp,dccp,sctp,ipv6}_hdr(skb) guarantee that
they will never return NULL, and elsewhere users don't do the check
as well, so remove the check here.Signed-off-by: Xiu Jianfeng
[PM: subject line tweaks]
Signed-off-by: Paul Moore
04 May, 2022
1 commit
-
Log the anonymous inode class name in the security hook
inode_init_security_anon. This name is the key for name based type
transitions on the anon_inode security class on creation. Example:type=AVC msg=audit(02/16/22 22:02:50.585:216) : avc: granted \
{ create } for pid=2136 comm=mariadbd anonclass=[io_uring] \
scontext=system_u:system_r:mysqld_t:s0 \
tcontext=system_u:system_r:mysqld_iouring_t:s0 tclass=anon_inodeAdd a new LSM audit data type holding the inode and the class name.
Signed-off-by: Christian Göttsche
[PM: adjusted 'anonclass' to be a trusted string, cgzones approved]
Signed-off-by: Paul Moore
20 Sep, 2021
1 commit
-
The "key" field is used to associate records with the rule that
triggered them, os it's not a good idea to overload it with an
additional IPC key semantic. Moreover, as the classic "key" field is a
text field, while the IPC key is numeric, AVC records containing the IPC
key info actually confuse audit userspace, which tries to interpret the
number as a hex-encoded string, thus showing garbage for example in the
ausearch "interpret" output mode.Hence, change it to "ipc_key" to fix both issues and also make the
meaning of this field more clear.Signed-off-by: Ondrej Mosnacek
Reviewed-by: Richard Guy Briggs
Signed-off-by: Paul Moore
12 Jun, 2021
1 commit
-
The variable 'ret' is set to 0 when declared.
The 'ret' is unused until it is set to 0 again.So it had better remove unnecessary initialization.
Signed-off-by: Austin Kim
Signed-off-by: Paul Moore
17 Jan, 2021
2 commits
-
Signed-off-by: Al Viro
-
We are not guaranteed the locking environment that would prevent
dentry getting renamed right under us. And it's possible for
old long name to be freed after rename, leading to UAF here.Cc: stable@kernel.org # v2.6.2+
Signed-off-by: Al Viro
17 Dec, 2020
1 commit
-
Pull audit updates from Paul Moore:
"A small set of audit patches for v5.11 with four patches in total and
only one of any real significance.Richard's patch to trigger accompanying records causes the kernel to
emit additional related records when an audit event occurs; helping
provide some much needed context to events in the audit log. It is
also worth mentioning that this is a revised patch based on an earlier
attempt that had to be reverted in the v5.8 time frame.Everything passes our test suite, and with no problems reported please
merge this for v5.11"* tag 'audit-pr-20201214' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
audit: replace atomic_add_return()
audit: fix macros warnings
audit: trigger accompanying records when no rules present
audit: fix a kernel-doc markup
04 Dec, 2020
1 commit
-
A followup change to tcp_request_sock_op would have to drop the 'const'
qualifier from the 'route_req' function as the
'security_inet_conn_request' call is moved there - and that function
expects a 'struct sock *'.However, it turns out its also possible to add a const qualifier to
security_inet_conn_request instead.Signed-off-by: Florian Westphal
Acked-by: James Morris
Signed-off-by: Jakub Kicinski
28 Oct, 2020
1 commit
-
When there are no audit rules registered, mandatory records (config,
etc.) are missing their accompanying records (syscall, proctitle, etc.).This is due to audit context dummy set on syscall entry based on absence
of rules that signals that no other records are to be printed. Clear the dummy
bit if any record is generated, open coding this in audit_log_start().The proctitle context and dummy checks are pointless since the
proctitle record will not be printed if no syscall records are printed.The fds array is reset to -1 after the first syscall to indicate it
isn't valid any more, but was never set to -1 when the context was
allocated to indicate it wasn't yet valid.Check ctx->pwd in audit_log_name().
The audit_inode* functions can be called without going through
getname_flags() or getname_kernel() that sets audit_names and cwd, so
set the cwd in audit_alloc_name() if it has not already been done so due to
audit_names being valid and purge all other audit_getcwd() calls.Revert the LSM dump_common_audit_data() LSM_AUDIT_DATA_* cases from the
ghak96 patch since they are no longer necessary due to cwd coverage in
audit_alloc_name().Thanks to bauen1 for reporting LSM situations in
which context->cwd is not valid, inadvertantly fixed by the ghak96 patch.Please see upstream github issue
https://github.com/linux-audit/audit-kernel/issues/120
This is also related to upstream github issue
https://github.com/linux-audit/audit-kernel/issues/96Signed-off-by: Richard Guy Briggs
Signed-off-by: Paul Moore
21 Jul, 2020
1 commit
-
audit_log_string() was inteded to be an internal audit function and
since there are only two internal uses, remove them. Purge all external
uses of it by restructuring code to use an existing audit_log_format()
or using audit_log_format().Please see the upstream issue
https://github.com/linux-audit/audit-kernel/issues/84Signed-off-by: Richard Guy Briggs
Signed-off-by: Paul Moore
09 Jul, 2020
1 commit
-
The LSM_AUDIT_DATA_* records for PATH, FILE, IOCTL_OP, DENTRY and INODE
are incomplete without the task context of the AUDIT Current Working
Directory record. Add it.This record addition can't use audit_dummy_context to determine whether
or not to store the record information since the LSM_AUDIT_DATA_*
records are initiated by various LSMs independent of any audit rules.
context->in_syscall is used to determine if it was called in user
context like audit_getname.Please see the upstream issue
https://github.com/linux-audit/audit-kernel/issues/96Adapted from Vladis Dronov's v2 patch.
Signed-off-by: Richard Guy Briggs
Signed-off-by: Paul Moore
10 Dec, 2019
1 commit
-
Implement a SELinux hook for lockdown. If the lockdown module is also
enabled, then a denial by the lockdown module will take precedence over
SELinux, so SELinux can only further restrict lockdown decisions.
The SELinux hook only distinguishes at the granularity of integrity
versus confidentiality similar to the lockdown module, but includes the
full lockdown reason as part of the audit record as a hint in diagnosing
what triggered the denial. To support this auditing, move the
lockdown_reasons[] string array from being private to the lockdown
module to the security framework so that it can be used by the lsm audit
code and so that it is always available even when the lockdown module
is disabled.Note that the SELinux implementation allows the integrity and
confidentiality reasons to be controlled independently from one another.
Thus, in an SELinux policy, one could allow operations that specify
an integrity reason while blocking operations that specify a
confidentiality reason. The SELinux hook implementation is
stricter than the lockdown module in validating the provided reason value.Sample AVC audit output from denials:
avc: denied { integrity } for pid=3402 comm="fwupd"
lockdown_reason="/dev/mem,kmem,port" scontext=system_u:system_r:fwupd_t:s0
tcontext=system_u:system_r:fwupd_t:s0 tclass=lockdown permissive=0avc: denied { confidentiality } for pid=4628 comm="cp"
lockdown_reason="/proc/kcore access"
scontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
tclass=lockdown permissive=0Signed-off-by: Stephen Smalley
Reviewed-by: James Morris
[PM: some merge fuzz do the the perf hooks]
Signed-off-by: Paul Moore
19 Jun, 2019
1 commit
-
Based on 2 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundationthis program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundation #extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-only
has been chosen to replace the boilerplate/reference in 4122 file(s).
Signed-off-by: Thomas Gleixner
Reviewed-by: Enrico Weigelt
Reviewed-by: Kate Stewart
Reviewed-by: Allison Randal
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190604081206.933168790@linutronix.de
Signed-off-by: Greg Kroah-Hartman
21 Feb, 2019
1 commit
-
Several u->addr and u->path users are not holding any locks in
common with unix_bind(). unix_state_lock() is useless for those
purposes.u->addr is assign-once and *(u->addr) is fully set up by the time
we set u->addr (all under unix_table_lock). u->path is also
set in the same critical area, also before setting u->addr, and
any unix_sock with ->path filled will have non-NULL ->addr.So setting ->addr with smp_store_release() is all we need for those
"lockless" users - just have them fetch ->addr with smp_load_acquire()
and don't even bother looking at ->path if they see NULL ->addr.Users of ->addr and ->path fall into several classes now:
1) ones that do smp_load_acquire(u->addr) and access *(u->addr)
and u->path only if smp_load_acquire() has returned non-NULL.
2) places holding unix_table_lock. These are guaranteed that
*(u->addr) is seen fully initialized. If unix_sock is in one of the
"bound" chains, so's ->path.
3) unix_sock_destructor() using ->addr is safe. All places
that set u->addr are guaranteed to have seen all stores *(u->addr)
while holding a reference to u and unix_sock_destructor() is called
when (atomic) refcount hits zero.
4) unix_release_sock() using ->path is safe. unix_bind()
is serialized wrt unix_release() (normally - by struct file
refcount), and for the instances that had ->path set by unix_bind()
unix_release_sock() comes from unix_release(), so they are fine.
Instances that had it set in unix_stream_connect() either end up
attached to a socket (in unix_accept()), in which case the call
chain to unix_release_sock() and serialization are the same as in
the previous case, or they never get accept'ed and unix_release_sock()
is called when the listener is shut down and its queue gets purged.
In that case the listener's queue lock provides the barriers needed -
unix_stream_connect() shoves our unix_sock into listener's queue
under that lock right after having set ->path and eventual
unix_release_sock() caller picks them from that queue under the
same lock right before calling unix_release_sock().
5) unix_find_other() use of ->path is pointless, but safe -
it happens with successful lookup by (abstract) name, so ->path.dentry
is guaranteed to be NULL there.earlier-variant-reviewed-by: "Paul E. McKenney"
Signed-off-by: Al Viro
Signed-off-by: David S. Miller
15 May, 2018
1 commit
-
Recognizing that the audit context is an internal audit value, use an
access function to retrieve the audit context pointer for the task
rather than reaching directly into the task struct to get it.Signed-off-by: Richard Guy Briggs
[PM: merge fuzz in auditsc.c and selinuxfs.c, checkpatch.pl fixes]
Signed-off-by: Paul Moore
18 Aug, 2017
1 commit
-
Update my email address since epoch.ncsc.mil no longer exists.
MAINTAINERS and CREDITS are already correct.Signed-off-by: Stephen Smalley
Signed-off-by: Paul Moore
24 May, 2017
2 commits
-
Add a type for Infiniband ports and an access vector for subnet
management packets. Implement the ib_port_smp hook to check that the
caller has permission to send and receive SMPs on the end port specified
by the device name and port. Add interface to query the SID for a IB
port, which walks the IB_PORT ocontexts to find an entry for the
given name and port.Signed-off-by: Daniel Jurgens
Reviewed-by: James Morris
Acked-by: Doug Ledford
Signed-off-by: Paul Moore -
Add a type and access vector for PKeys. Implement the ib_pkey_access
hook to check that the caller has permission to access the PKey on the
given subnet prefix. Add an interface to get the PKey SID. Walk the PKey
ocontexts to find an entry for the given subnet prefix and pkey.Signed-off-by: Daniel Jurgens
Reviewed-by: James Morris
Acked-by: Doug Ledford
Signed-off-by: Paul Moore
05 Oct, 2016
1 commit
-
Pull security subsystem updates from James Morris:
SELinux/LSM:
- overlayfs support, necessary for container filesystemsLSM:
- finally remove the kernel_module_from_file hookSmack:
- treat signal delivery as an 'append' operationTPM:
- lots of bugfixes & updatesAudit:
- new audit data type: LSM_AUDIT_DATA_FILE* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (47 commits)
Revert "tpm/tpm_crb: implement tpm crb idle state"
Revert "tmp/tpm_crb: fix Intel PTT hw bug during idle state"
Revert "tpm/tpm_crb: open code the crb_init into acpi_add"
Revert "tmp/tpm_crb: implement runtime pm for tpm_crb"
lsm,audit,selinux: Introduce a new audit data type LSM_AUDIT_DATA_FILE
tmp/tpm_crb: implement runtime pm for tpm_crb
tpm/tpm_crb: open code the crb_init into acpi_add
tmp/tpm_crb: fix Intel PTT hw bug during idle state
tpm/tpm_crb: implement tpm crb idle state
tpm: add check for minimum buffer size in tpm_transmit()
tpm: constify TPM 1.x header structures
tpm/tpm_crb: fix the over 80 characters checkpatch warring
tpm/tpm_crb: drop useless cpu_to_le32 when writing to registers
tpm/tpm_crb: cache cmd_size register value.
tmp/tpm_crb: drop include to platform_device
tpm/tpm_tis: remove unused itpm variable
tpm_crb: fix incorrect values of cmdReady and goIdle bits
tpm_crb: refine the naming of constants
tpm_crb: remove wmb()'s
tpm_crb: fix crb_req_canceled behavior
...
20 Sep, 2016
1 commit
-
Right now LSM_AUDIT_DATA_PATH type contains "struct path" in union "u"
of common_audit_data. This information is used to print path of file
at the same time it is also used to get to dentry and inode. And this
inode information is used to get to superblock and device and print
device information.This does not work well for layered filesystems like overlay where dentry
contained in path is overlay dentry and not the real dentry of underlying
file system. That means inode retrieved from dentry is also overlay
inode and not the real inode.SELinux helpers like file_path_has_perm() are doing checks on inode
retrieved from file_inode(). This returns the real inode and not the
overlay inode. That means we are doing check on real inode but for audit
purposes we are printing details of overlay inode and that can be
confusing while debugging.Hence, introduce a new type LSM_AUDIT_DATA_FILE which carries file
information and inode retrieved is real inode using file_inode(). That
way right avc denied information is given to user.For example, following is one example avc before the patch.
type=AVC msg=audit(1473360868.399:214): avc: denied { read open } for
pid=1765 comm="cat"
path="/root/.../overlay/container1/merged/readfile"
dev="overlay" ino=21443
scontext=unconfined_u:unconfined_r:test_overlay_client_t:s0:c10,c20
tcontext=unconfined_u:object_r:test_overlay_files_ro_t:s0
tclass=file permissive=0It looks as follows after the patch.
type=AVC msg=audit(1473360017.388:282): avc: denied { read open } for
pid=2530 comm="cat"
path="/root/.../overlay/container1/merged/readfile"
dev="dm-0" ino=2377915
scontext=unconfined_u:unconfined_r:test_overlay_client_t:s0:c10,c20
tcontext=unconfined_u:object_r:test_overlay_files_ro_t:s0
tclass=file permissive=0Notice that now dev information points to "dm-0" device instead of
"overlay" device. This makes it clear that check failed on underlying
inode and not on the overlay inode.Signed-off-by: Vivek Goyal
[PM: slight tweaks to the description to make checkpatch.pl happy]
Signed-off-by: Paul Moore
31 Aug, 2016
1 commit
-
Unfortunately we record PIDs in audit records using a variety of
methods despite the correct way being the use of task_tgid_nr().
This patch converts all of these callers, except for the case of
AUDIT_SET in audit_receive_msg() (see the comment in the code).Reported-by: Jeff Vander Stoep
Signed-off-by: Paul Moore
09 Aug, 2016
2 commits
-
ioctlcmd is currently printing hex numbers, but their is no leading
0x. Thus things like ioctlcmd=1234 are misleading, as the base is
not evident.Correct this by adding 0x as a prefix, so ioctlcmd=1234 becomes
ioctlcmd=0x1234.Signed-off-by: William Roberts
Signed-off-by: Paul Moore -
The IS_ENABLED() macro checks if a Kconfig symbol has been enabled
either built-in or as a module, use that macro instead of open coding
the same.Signed-off-by: Javier Martinez Canillas
Acked-by: Casey Schaufler
Signed-off-by: Paul Moore
15 Aug, 2015
1 commit
14 Jul, 2015
1 commit
-
Add information about ioctl calls to the LSM audit data. Log the
file path and command number.Signed-off-by: Jeff Vander Stoep
Acked-by: Nick Kralevich
[PM: subject line tweak]
Signed-off-by: Paul Moore
28 Jun, 2015
1 commit
-
Pull audit updates from Paul Moore:
"Four small audit patches for v4.2, all bug fixes. Only 10 lines of
change this time so very unremarkable, the patch subject lines pretty
much tell the whole story"* 'upstream' of git://git.infradead.org/users/pcmoore/audit:
audit: Fix check of return value of strnlen_user()
audit: obsolete audit_context check is removed in audit_filter_rules()
audit: fix for typo in comment to function audit_log_link_denied()
lsm: rename duplicate labels in LSM_AUDIT_DATA_TASK audit message type
30 May, 2015
1 commit
-
The LSM_AUDIT_DATA_TASK pid= and comm= labels are duplicates of those at the
start of this function with different values. Rename them to their object
counterparts opid= and ocomm= to disambiguate.Signed-off-by: Richard Guy Briggs
[PM: minor merging needed due to differences in the tree]
Signed-off-by: Paul Moore
27 Apr, 2015
1 commit
-
Pull fourth vfs update from Al Viro:
"d_inode() annotations from David Howells (sat in for-next since before
the beginning of merge window) + four assorted fixes"* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
RCU pathwalk breakage when running into a symlink overmounting something
fix I_DIO_WAKEUP definition
direct-io: only inc/dec inode->i_dio_count for file systems
fs/9p: fix readdir()
VFS: assorted d_backing_inode() annotations
VFS: fs/inode.c helpers: d_inode() annotations
VFS: fs/cachefiles: d_backing_inode() annotations
VFS: fs library helpers: d_inode() annotations
VFS: assorted weird filesystems: d_inode() annotations
VFS: normal filesystems (and lustre): d_inode() annotations
VFS: security/: d_inode() annotations
VFS: security/: d_backing_inode() annotations
VFS: net/: d_inode() annotations
VFS: net/unix: d_backing_inode() annotations
VFS: kernel/: d_inode() annotations
VFS: audit: d_backing_inode() annotations
VFS: Fix up some ->d_inode accesses in the chelsio driver
VFS: Cachefiles should perform fs modifications on the top layer only
VFS: AF_UNIX sockets should call mknod on the top layer only
16 Apr, 2015
1 commit
-
most of the ->d_inode uses there refer to the same inode IO would
go to, i.e. d_backing_inode()Signed-off-by: David Howells
Signed-off-by: Al Viro
15 Apr, 2015
1 commit
-
When task->comm is passed directly to audit_log_untrustedstring() without
getting a copy or using the task_lock, there is a race that could happen that
would output a NULL (\0) in the middle of the output string that would
effectively truncate the rest of the report text after the comm= field in the
audit log message, losing fields.Using get_task_comm() to get a copy while acquiring the task_lock to prevent
this and to prevent the result from being a mixture of old and new values of
comm would incur potentially unacceptable overhead, considering that the value
can be influenced by userspace and therefore untrusted anyways.Copy the value before passing it to audit_log_untrustedstring() ensures that a
local copy is used to calculate the length *and* subsequently printed. Even if
this value contains a mix of old and new values, it will only calculate and
copy up to the first NULL, preventing the rest of the audit log message being
truncated.Use a second local copy of comm to avoid a race between the first and second
calls to audit_log_untrustedstring() with comm.Reported-by: Tetsuo Handa
Signed-off-by: Richard Guy Briggs
Signed-off-by: James Morris
20 Mar, 2014
1 commit
-
Store and log all PIDs with reference to the initial PID namespace and
use the access functions task_pid_nr() and task_tgid_nr() for task->pid
and task->tgid.Cc: "Eric W. Biederman"
(informed by ebiederman's c776b5d2)
Signed-off-by: Richard Guy Briggs
22 Nov, 2013
1 commit
-
Pull audit updates from Eric Paris:
"Nothing amazing. Formatting, small bug fixes, couple of fixes where
we didn't get records due to some old VFS changes, and a change to how
we collect execve info..."Fixed conflict in fs/exec.c as per Eric and linux-next.
* git://git.infradead.org/users/eparis/audit: (28 commits)
audit: fix type of sessionid in audit_set_loginuid()
audit: call audit_bprm() only once to add AUDIT_EXECVE information
audit: move audit_aux_data_execve contents into audit_context union
audit: remove unused envc member of audit_aux_data_execve
audit: Kill the unused struct audit_aux_data_capset
audit: do not reject all AUDIT_INODE filter types
audit: suppress stock memalloc failure warnings since already managed
audit: log the audit_names record type
audit: add child record before the create to handle case where create fails
audit: use given values in tty_audit enable api
audit: use nlmsg_len() to get message payload length
audit: use memset instead of trying to initialize field by field
audit: fix info leak in AUDIT_GET requests
audit: update AUDIT_INODE filter rule to comparator function
audit: audit feature to set loginuid immutable
audit: audit feature to only allow unsetting the loginuid
audit: allow unsetting the loginuid (with priv)
audit: remove CONFIG_AUDIT_LOGINUID_IMMUTABLE
audit: loginuid functions coding style
selinux: apply selinux checks on new audit message types
...
06 Nov, 2013
1 commit
-
Supress the stock memory allocation failure warnings for audit buffers
since audit alreay takes care of memory allocation failure warnings, including
rate-limiting, in audit_log_start().Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris
10 Oct, 2013
1 commit
-
CONFIG_IPV6=n is still a valid choice ;)
It appears we can remove dead code.
Reported-by: Wu Fengguang
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
09 Oct, 2013
1 commit
-
TCP listener refactoring, part 4 :
To speed up inet lookups, we moved IPv4 addresses from inet to struct
sock_commonNow is time to do the same for IPv6, because it permits us to have fast
lookups for all kind of sockets, including upcoming SYN_RECV.Getting IPv6 addresses in TCP lookups currently requires two extra cache
lines, plus a dereference (and memory stall).inet6_sk(sk) does the dereference of inet_sk(__sk)->pinet6
This patch is way bigger than its IPv4 counter part, because for IPv4,
we could add aliases (inet_daddr, inet_rcv_saddr), while on IPv6,
it's not doable easily.inet6_sk(sk)->daddr becomes sk->sk_v6_daddr
inet6_sk(sk)->rcv_saddr becomes sk->sk_v6_rcv_saddrAnd timewait socket also have tw->tw_v6_daddr & tw->tw_v6_rcv_saddr
at the same offset.We get rid of INET6_TW_MATCH() as INET6_MATCH() is now the generic
macro.Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
10 Apr, 2012
1 commit
-
We did a lot of work to shrink the common_audit_data. Add a BUILD_BUG_ON
so future programers (let's be honest, probably me) won't do something
foolish like make it large again!Signed-off-by: Eric Paris
