[GIT PULL] SELinux patches for v5.7

Paul Moore paul at paul-moore.com
Tue Mar 31 00:38:17 UTC 2020

Hi Linus,

We've got twenty SELinux patches for the v5.7 merge window, the
highlights are below.  Beyond the highlights there a couple of things
I want to call out in this pull request: a merge conflict, and a
maintainer screw-up.

The merge conflict is in security/selinux/hooks.c and is against a
binder fs name fix we sent during the v5.6-rcX cycle; the fixup is
trivial but if you need me to fix it, let me know.  The maintainer
screw-up deals with the second patch from the top of the pull request,
the NFS fix.  The screw-up isn't the fact that this is a NFS patch, we
talked to the NFS guys and they are okay with it.  The issue is that
the commit date is today - during the merge window - which doesn't
reflect the testing the patch received.  The reality is that I merged
this patch back on March 12th, and it has been part of our testing
ever since, but when putting this pull request together I noticed that
I had dropped the subject line from the patch when I was merging it.
Not wanting a malformed commit, I popped the top two patches from the
stack and restored the missing subject line; this had the unfortunate
side effect of making it look like the two top patches were just
merged today - my apologies.

Regardless, here are the highlights:

- Deprecate setting /sys/fs/selinux/checkreqprot to 1.  This flag was
originally created to deal with legacy userspace and the
READ_IMPLIES_EXEC personality flag.  We changed the default from 1 to
0 back in Linux v4.4 and now we are taking the next step of
deprecating it, at some point in the future we will take the final
step of rejecting 1.
- Allow kernfs symlinks to inherit the SELinux label of the parent
directory.  In order to preserve backwards compatibility this is
protected by the genfs_seclabel_symlinks SELinux policy capability.
- Optimize how we store filename transitions in the kernel, resulting
in some significant improvements to policy load times.
- Do a better job calculating our internal hash table sizes which
resulted in additional policy load improvements and likely general
SELinux performance improvements as well.
- Remove the unused initial SIDs (labels) and improve how we handle
initial SIDs.
- Enable per-file labeling for the bpf filesystem.
- Ensure that we properly label NFS v4.2 filesystems to avoid a
temporary unlabeled condition.
- Add some missing XFS quota command types to the SELinux quota access controls.
- Fix a problem where we were not updating the seq_file position index
correctly in selinuxfs.
- We consolidate some duplicated code into helper functions.
- A number of list to array conversions.
- Update Stephen Smalley's email address in MAINTAINERS.

The following changes since commit bb6d3fb354c5ee8d6bde2d576eb7220ea09862b9:

 Linux 5.6-rc1 (2020-02-09 16:08:48 -0800)

are available in the Git repository at:


for you to fetch changes up to c753924b628551564b6eea3c9896e4a95aa25ed9:

 selinux: clean up indentation issue with assignment statement
   (2020-03-30 19:57:07 -0400)

selinux/stable-5.7 PR 20200330

Christian Göttsche (1):
     selinux: allow kernfs symlinks to inherit parent directory context

Colin Ian King (1):
     selinux: clean up indentation issue with assignment statement

Connor O'Brien (1):
     security: selinux: allow per-file labeling for bpffs

Ondrej Mosnacek (10):
     selinux: move status variables out of selinux_ss
     selinux: simplify evaluate_cond_node()
     selinux: convert cond_list to array
     selinux: convert cond_av_list to array
     selinux: convert cond_expr to array
     selinux: generalize evaluate_cond_node()
     selinux: factor out loop body from filename_trans_read()
     selinux: optimize storage of filename transitions
     selinux: reduce the use of hard-coded hash sizes
     selinux: clean up error path in policydb_init()

Paul Moore (1):
     selinux: avtab_init() and cond_policydb_init() return void

Richard Haines (1):
     selinux: Add xfs quota command types

Scott Mayhew (1):
     NFS: Ensure security label is set for root inode

Stephen Smalley (3):
     Documentation,selinux: deprecate setting checkreqprot to 1
     selinux: remove unused initial SIDs and improve handling
     MAINTAINERS: Update my email address

Vasily Averin (1):
     selinux: sel_avc_get_stat_idx should increase position index

.../ABI/obsolete/sysfs-selinux-checkreqprot        |  23 ++
Documentation/admin-guide/kernel-parameters.txt    |   1 +
MAINTAINERS                                        |   3 +-
fs/nfs/getroot.c                                   |  39 ++-
fs/nfs/nfs4proc.c                                  |  12 +-
fs/nfs/super.c                                     |  25 --
include/linux/nfs_xdr.h                            |   1 +
scripts/selinux/genheaders/genheaders.c            |  11 +-
security/selinux/Kconfig                           |   3 +
security/selinux/Makefile                          |   4 +-
security/selinux/hooks.c                           |  18 +-
security/selinux/include/conditional.h             |   8 +-
security/selinux/include/initial_sid_to_string.h   |  57 ++--
security/selinux/include/security.h                |  12 +
security/selinux/selinuxfs.c                       |  19 +-
security/selinux/ss/avtab.c                        |   3 +-
security/selinux/ss/avtab.h                        |   2 +-
security/selinux/ss/conditional.c                  | 259 +++++-------
security/selinux/ss/conditional.h                  |  29 +-
security/selinux/ss/hashtab.c                      |  28 +-
security/selinux/ss/hashtab.h                      |   2 +-
security/selinux/ss/policydb.c                     | 326 ++++++++---------
security/selinux/ss/policydb.h                     |  13 +-
security/selinux/ss/services.c                     |  79 +++--
security/selinux/ss/services.h                     |   2 -
security/selinux/{ss => }/status.c                 |  32 +-
26 files changed, 521 insertions(+), 490 deletions(-)
create mode 100644 Documentation/ABI/obsolete/sysfs-selinux-checkreqprot
rename security/selinux/{ss => }/status.c (81%)

paul moore

More information about the Linux-security-module-archive mailing list