[GIT PULL] SELinux patches for v5.13

Paul Moore paul at paul-moore.com
Mon Apr 26 23:27:42 UTC 2021


Hi Linus,

Here is the SELinux pull request for v5.13, the highlights are below:

* Add support for measuring the SELinux state and policy capabilities using IMA.

* A handful of SELinux/NFS patches to compare the SELinux state of one
mount with a set of mount options.  Olga goes into more detail in the
patch descriptions, but this is important as it allows more
flexibility when using NFS and SELinux context mounts.

* Properly differentiate between the subjective and objective LSM
credentials; including support for the SELinux and Smack.  My clumsy
attempt at a proper fix for AppArmor didn't quite pass muster so John
is working on a proper AppArmor patch, in the meantime this set of
patches shouldn't change the behavior of AppArmor in any way.  This
change explains the bulk of the diffstate beyond security/.

* Fix a problem where we were not properly terminating the permission
list for two SELinux object classes.

Everything has been tested against the selinux-testsuite and as of a
few moments ago the tag applies cleanly to your tree; please merge
this for v5.13.

Thanks,
-Paul

--
The following changes since commit a38fd8748464831584a19438cbb3082b5a2dab15:

 Linux 5.12-rc2 (2021-03-05 17:33:41 -0800)

are available in the Git repository at:

 git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
   tags/selinux-pr-20210426

for you to fetch changes up to e4c82eafb609c2badc56f4e11bc50fcf44b8e9eb:

 selinux: add proper NULL termination to the secclass_map permissions
   (2021-04-21 21:43:25 -0400)

----------------------------------------------------------------
selinux/stable-5.13 PR 20210426

----------------------------------------------------------------
Lakshmi Ramasubramanian (1):
     selinux: measure state and policy capabilities

Olga Kornievskaia (3):
     lsm,selinux: add new hook to compare new mount to an existing mount
     nfs: remove unneeded null check in nfs_fill_super()
     nfs: account for selinux security context when deciding to share
          superblock

Paul Moore (4):
     lsm: separate security_task_getsecid() into subjective and objective
          variants
     selinux: clarify task subjective and objective credentials
     smack: differentiate between subjective and objective task credentials
     selinux: add proper NULL termination to the secclass_map permissions

Vivek Goyal (1):
     selinux: Allow context mounts for unpriviliged overlayfs

Xiong Zhenwu (2):
     selinux: fix misspellings using codespell tool
     selinux: fix misspellings using codespell tool

drivers/android/binder.c              |  11 ++-
fs/nfs/fs_context.c                   |   3 +
fs/nfs/internal.h                     |   1 +
fs/nfs/super.c                        |   6 +-
include/linux/cred.h                  |   2 +-
include/linux/lsm_hook_defs.h         |   6 +-
include/linux/lsm_hooks.h             |  18 +++-
include/linux/nfs_fs_sb.h             |   1 +
include/linux/security.h              |  18 +++-
kernel/audit.c                        |   4 +-
kernel/auditfilter.c                  |   3 +-
kernel/auditsc.c                      |   8 +-
kernel/bpf/bpf_lsm.c                  |   3 +-
net/netlabel/netlabel_unlabeled.c     |   2 +-
net/netlabel/netlabel_user.h          |   2 +-
security/apparmor/lsm.c               |   3 +-
security/integrity/ima/ima_appraise.c |   2 +-
security/integrity/ima/ima_main.c     |  14 +--
security/security.c                   |  20 +++-
security/selinux/hooks.c              | 170 ++++++++++++++++++++++++------
security/selinux/ima.c                |  87 +++++++++++++++-
security/selinux/include/classmap.h   |   5 +-
security/selinux/include/ima.h        |   6 ++
security/selinux/include/security.h   |   2 +-
security/selinux/selinuxfs.c          |   6 ++
security/selinux/ss/hashtab.c         |   2 +-
security/selinux/ss/services.c        |   2 +-
security/smack/smack.h                |  18 +++-
security/smack/smack_lsm.c            |  39 +++++---
29 files changed, 372 insertions(+), 92 deletions(-)

-- 
paul moore
www.paul-moore.com



More information about the Linux-security-module-archive mailing list