[GIT PULL] SELinux patches for v5.2

Paul Moore paul at paul-moore.com
Tue May 7 17:23:03 UTC 2019


Hi Linus,

We've got a few SELinux patches for the v5.2 merge window, the
highlights are below:

- Add LSM hooks, and the SELinux implementation, for proper labeling
of kernfs.  While we are only including the SELinux implementation
here, the rest of the LSM folks have given the hooks a thumbs-up.

- Update the SELinux mdp (Make Dummy Policy) script to actually work
on a modern system.

- Disallow userspace to change the LSM credentials via /proc/self/attr
when the task's credentials are already overridden.  The change was
made in procfs because all the LSM folks agreed this was the Right
Thing To Do and duplicating it across each LSM was going to be
annoying.

As a FYI, you will likely run into a minor merge problem with
scripts/selinux/mdp.c due to patches sent up during the v5.1-rcX
cycle, but it is pretty trivial to resolve (just make sure the
kconfig.h include is included).  If you have any questions about the
merge, you know where to find us.

Please pull this for v5.2,
-Paul

--
The following changes since commit 9e98c678c2d6ae3a17cb2de55d17f69dddaa231b:

 Linux 5.1-rc1 (2019-03-17 14:22:26 -0700)

are available in the Git repository at:

 git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
   tags/selinux-pr-20190507

for you to fetch changes up to 35a196bef449b5824033865b963ed9a43fb8c730:

 proc: prevent changes to overridden credentials (2019-04-29 09:51:21 -0400)

----------------------------------------------------------------
selinux/stable-5.2 PR 20190507

----------------------------------------------------------------
Arnd Bergmann (1):
     selinux: avoid uninitialized variable warning

Ondrej Mosnacek (10):
     kernfs: clean up struct kernfs_iattrs
     kernfs: do not alloc iattrs in kernfs_xattr_get
     selinux: try security xattr after genfs for kernfs filesystems
     kernfs: use simple_xattrs for security attributes
     LSM: add new hook for kernfs node initialization
     selinux: implement the kernfs_init_security hook
     kernfs: initialize security of newly created nodes
     LSM: lsm_hooks.h - fix missing colon in docstring
     selinux: remove useless assignments
     kernfs: fix xattr name handling in LSM helpers

Paul Moore (2):
     MAINTAINERS: update SELinux file patterns
     proc: prevent changes to overridden credentials

Paulo Alcantara (1):
     selinux: use kernel linux/socket.h for genheaders and mdp

Stephen Smalley (2):
     scripts/selinux: modernize mdp
     scripts/selinux: fix build

Tetsuo Handa (1):
     selinux: Check address length before reading address family

YueHaibing (1):
     selinux: Make selinux_kernfs_init_security static

MAINTAINERS                             |   2 +-
fs/kernfs/dir.c                         |  24 ++--
fs/kernfs/inode.c                       | 162 +++++++++--------------
fs/kernfs/kernfs-internal.h             |   8 +-
fs/kernfs/symlink.c                     |   4 +-
fs/proc/base.c                          |   5 +
include/linux/kernfs.h                  |  13 ++
include/linux/lsm_hooks.h               |  13 ++
include/linux/security.h                |   9 ++
scripts/selinux/genheaders/genheaders.c |   1 -
scripts/selinux/install_policy.sh       |  92 +++++++------
scripts/selinux/mdp/Makefile            |   2 +-
scripts/selinux/mdp/mdp.c               | 166 ++++++++++++++++++++----
security/security.c                     |   6 +
security/selinux/hooks.c                | 229 +++++++++++++++++++++----------
security/selinux/include/classmap.h     |   1 +
security/selinux/include/security.h     |   1 +
security/selinux/netlabel.c             |  14 +-
security/selinux/ss/services.c          |   7 +-
19 files changed, 488 insertions(+), 271 deletions(-)

-- 
paul moore
www.paul-moore.com



More information about the Linux-security-module-archive mailing list