[GIT PULL] SELinux patches for v5.18
Paul Moore
paul at paul-moore.com
Mon Mar 21 22:13:51 UTC 2022
Linus,
We've got a number of SELinux patches queued up for v5.18, the
highlights are below:
- Fixup the security_fs_context_parse_param() LSM hook so it executes
all of the LSM hook implementations unless a serious error occurs. We
also correct the SELinux hook implementation so that it returns zero
on success.
- In addition to a few SELinux mount option parsing fixes, we
simplified the parsing by moving it earlier in the process. The logic
was that it was unlikely an admin/user would use the new mount API and
not have the policy loaded before passing the SELinux options.
- Properly fixed the LSM/SELinux/SCTP hooks with the addition of the
security_sctp_assoc_established() hook. This work was done in
conjunction with the netdev folks and should complete the move of the
SCTP labeling from the endpoints to the associations.
- Fixed a variety of sparse warnings caused by changes in the "__rcu"
markings of some core kernel structures.
- Ensure we access the superblock's LSM security blob using the
stacking-safe accessors.
- Added the ability for the kernel to always allow FIOCLEX and
FIONCLEX if the "ioctl_skip_cloexec" policy capability is specified.
- Various constifications improvements, type casting improvements,
additional return value checks, and dead code/parameter removal.
- Documentation fixes.
Please merge.
-Paul
--
The following changes since commit e783362eb54cd99b2cac8b3a9aeac942e6f6ac07:
Linux 5.17-rc1 (2022-01-23 10:12:53 +0200)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
tags/selinux-pr-20220321
for you to fetch changes up to cdbec3ede0b8cb318c36f5cc945b9360329cbd25:
selinux: shorten the policy capability enum names
(2022-03-02 11:37:03 -0500)
----------------------------------------------------------------
selinux/stable-5.18 PR 20220321
----------------------------------------------------------------
Casey Schaufler (1):
LSM: general protection fault in legacy_parse_param
Christian Göttsche (11):
selinux: check return value of sel_make_avc_files
selinux: declare path parameters of _genfs_sid const
selinux: declare name parameter of hash_eval const
selinux: enclose macro arguments in parenthesis
selinux: drop cast to same type
selinux: drop unused parameter of avtab_insert_node
selinux: do not discard const qualifier in cast
selinux: simplify cred_init_security
selinux: drop unused macro
selinux: drop return statement at end of void functions
selinux: use correct type for context length
GONG, Ruiqi (1):
selinux: access superblock_security_struct in LSM blob way
Ondrej Mosnacek (3):
selinux: parse contexts for mount options early
security: add sctp_assoc_established hook
security: implement sctp_assoc_established hook in selinux
Paul Moore (3):
selinux: fix a type cast problem in cred_init_security()
selinux: various sparse fixes
selinux: shorten the policy capability enum names
Richard Haines (1):
selinux: allow FIOCLEX and FIONCLEX with policy capability
Scott Mayhew (2):
selinux: Fix selinux_sb_mnt_opts_compat()
selinux: try to use preparsed sid before calling parse_sid()
Wan Jiabing (1):
docs: fix 'make htmldocs' warning in SCTP.rst
Documentation/security/SCTP.rst | 26 ++-
include/linux/lsm_hook_defs.h | 2 +
include/linux/lsm_hooks.h | 5 +
include/linux/security.h | 8 +
net/sctp/sm_statefuns.c | 8 +-
security/security.c | 24 ++-
security/selinux/hooks.c | 299 ++++++++++++++---------------
security/selinux/ibpkey.c | 2 +-
security/selinux/ima.c | 4 +-
security/selinux/include/policycap.h | 21 +-
security/selinux/include/policycap_names.h | 5 +-
security/selinux/include/security.h | 31 +--
security/selinux/netnode.c | 9 +-
security/selinux/netport.c | 2 +-
security/selinux/selinuxfs.c | 4 +-
security/selinux/ss/avtab.c | 6 +-
security/selinux/ss/conditional.c | 2 -
security/selinux/ss/ebitmap.c | 1 -
security/selinux/ss/ebitmap.h | 6 +-
security/selinux/ss/mls.c | 1 -
security/selinux/ss/policydb.c | 4 +-
security/selinux/ss/services.c | 10 +-
security/selinux/ss/sidtab.c | 4 +-
security/selinux/xfrm.c | 2 +-
24 files changed, 255 insertions(+), 231 deletions(-)
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list