[GIT PULL] SELinux patches for v5.18

Paul Moore paul at paul-moore.com
Mon Mar 21 22:13:51 UTC 2022


Linus,

We've got a number of SELinux patches queued up for v5.18, the
highlights are below:

- Fixup the security_fs_context_parse_param() LSM hook so it executes
all of the LSM hook implementations unless a serious error occurs.  We
also correct the SELinux hook implementation so that it returns zero
on success.

- In addition to a few SELinux mount option parsing fixes, we
simplified the parsing by moving it earlier in the process.  The logic
was that it was unlikely an admin/user would use the new mount API and
not have the policy loaded before passing the SELinux options.

- Properly fixed the LSM/SELinux/SCTP hooks with the addition of the
security_sctp_assoc_established() hook.  This work was done in
conjunction with the netdev folks and should complete the move of the
SCTP labeling from the endpoints to the associations.

- Fixed a variety of sparse warnings caused by changes in the "__rcu"
markings of some core kernel structures.

- Ensure we access the superblock's LSM security blob using the
stacking-safe accessors.

- Added the ability for the kernel to always allow FIOCLEX and
FIONCLEX if the "ioctl_skip_cloexec" policy capability is specified.

- Various constifications improvements, type casting improvements,
additional return value checks, and dead code/parameter removal.

- Documentation fixes.

Please merge.
-Paul

--
The following changes since commit e783362eb54cd99b2cac8b3a9aeac942e6f6ac07:

 Linux 5.17-rc1 (2022-01-23 10:12:53 +0200)

are available in the Git repository at:

 https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
   tags/selinux-pr-20220321

for you to fetch changes up to cdbec3ede0b8cb318c36f5cc945b9360329cbd25:

 selinux: shorten the policy capability enum names
   (2022-03-02 11:37:03 -0500)

----------------------------------------------------------------
selinux/stable-5.18 PR 20220321

----------------------------------------------------------------
Casey Schaufler (1):
     LSM: general protection fault in legacy_parse_param

Christian Göttsche (11):
     selinux: check return value of sel_make_avc_files
     selinux: declare path parameters of _genfs_sid const
     selinux: declare name parameter of hash_eval const
     selinux: enclose macro arguments in parenthesis
     selinux: drop cast to same type
     selinux: drop unused parameter of avtab_insert_node
     selinux: do not discard const qualifier in cast
     selinux: simplify cred_init_security
     selinux: drop unused macro
     selinux: drop return statement at end of void functions
     selinux: use correct type for context length

GONG, Ruiqi (1):
     selinux: access superblock_security_struct in LSM blob way

Ondrej Mosnacek (3):
     selinux: parse contexts for mount options early
     security: add sctp_assoc_established hook
     security: implement sctp_assoc_established hook in selinux

Paul Moore (3):
     selinux: fix a type cast problem in cred_init_security()
     selinux: various sparse fixes
     selinux: shorten the policy capability enum names

Richard Haines (1):
     selinux: allow FIOCLEX and FIONCLEX with policy capability

Scott Mayhew (2):
     selinux: Fix selinux_sb_mnt_opts_compat()
     selinux: try to use preparsed sid before calling parse_sid()

Wan Jiabing (1):
     docs: fix 'make htmldocs' warning in SCTP.rst

Documentation/security/SCTP.rst            |  26 ++-
include/linux/lsm_hook_defs.h              |   2 +
include/linux/lsm_hooks.h                  |   5 +
include/linux/security.h                   |   8 +
net/sctp/sm_statefuns.c                    |   8 +-
security/security.c                        |  24 ++-
security/selinux/hooks.c                   | 299 ++++++++++++++---------------
security/selinux/ibpkey.c                  |   2 +-
security/selinux/ima.c                     |   4 +-
security/selinux/include/policycap.h       |  21 +-
security/selinux/include/policycap_names.h |   5 +-
security/selinux/include/security.h        |  31 +--
security/selinux/netnode.c                 |   9 +-
security/selinux/netport.c                 |   2 +-
security/selinux/selinuxfs.c               |   4 +-
security/selinux/ss/avtab.c                |   6 +-
security/selinux/ss/conditional.c          |   2 -
security/selinux/ss/ebitmap.c              |   1 -
security/selinux/ss/ebitmap.h              |   6 +-
security/selinux/ss/mls.c                  |   1 -
security/selinux/ss/policydb.c             |   4 +-
security/selinux/ss/services.c             |  10 +-
security/selinux/ss/sidtab.c               |   4 +-
security/selinux/xfrm.c                    |   2 +-
24 files changed, 255 insertions(+), 231 deletions(-)

-- 
paul-moore.com



More information about the Linux-security-module-archive mailing list