[GIT PULL] LSM patches for v6.4

Paul Moore paul at paul-moore.com
Thu Apr 20 23:53:00 UTC 2023


Hi Linus,

Due to some personal logistics challenges over the next few days I'm
sending the LSM pull request for Linux v6.4 a bit early.  Here is a
quick summary of the changes:

* Move the LSM hook comment blocks into security/security.c
For many years the LSM hook comment blocks were located in a very odd
place, include/linux/lsm_hooks.h, where they lived on their own,
disconnected from both the function prototypes and definitions.  In
keeping with current kernel conventions, this PR moves all of these
comment blocks to the top of the function definitions, transforming
them into the kdoc format in the process.  This should make it much
easier to maintain these comments, which are the main source of LSM
hook documentation.  For the most part the comment contents were left
as-is, although some glaring errors were corrected.  Expect additional
edits in the future as we slowly update and correct the comment
blocks.  This is the bulk of the PR's diffstat.

* Introduce LSM_ORDER_LAST
Similar to how LSM_ORDER_FIRST is used to specify LSMs which should be
ordered before "normal" LSMs, the LSM_ORDER_LAST is used to specify
LSMs which should be ordered after "normal" LSMs.  This is one of the
prerequisites for transitioning IMA/EVM to a proper LSM.

* Remove the security_old_inode_init_security() hook
The security_old_inode_init_security() LSM hook only allows for a
single xattr which is problematic both for LSM stacking and the
IMA/EVM-as-a-LSM effort.  This PR finishes the conversion over to the
security_inode_init_security() hook and removes the single-xattr LSM
hook.

* Fix a reiserfs problem with security xattrs
During the security_old_inode_init_security() removal work it became
clear that reiserfs wasn't handling security xattrs properly so we
fixed it.

Please merge, thanks.

--
paul-moore.com



More information about the Linux-security-module-archive mailing list