[GIT PULL] selinux/selinux-pr-20240911

Paul Moore paul at paul-moore.com
Fri Sep 13 01:18:33 UTC 2024


Linus,

A number of small SELinux patches for the v6.12 merge window:

* Ensure that both IPv4 and IPv6 connections are properly initialized

While we always properly initialized IPv4 connections early in their
life, we missed the necessary IPv6 change when we were adding IPv6
support.

* Annotate the SELinux inode revalidation function to quiet KCSAN 

KCSAN correctly identifyies a race in __inode_security_revalidate() when
we check to see if an inode's SELinux has been properly initialized.
While KCSAN is correct, it is an intentional choice made for performance
reasons; if necessary, we check the state a second time, this time with a
lock held, before initializing the inode's state.

* Code cleanups, simplification, etc.

A handful of individual patches to simplify some SELinux kernel logic,
improve return code granularity via ERR_PTR(), follow the guidance on
using KMEM_CACHE(), and correct some minor style problems.

-Paul

--
The following changes since commit 8400291e289ee6b2bf9779ff1c83a291501f017b:

  Linux 6.11-rc1 (2024-07-28 14:19:55 -0700)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
    tags/selinux-pr-20240911

for you to fetch changes up to d19a9e25a722d629041ac8fd320a86c016e349d1:

  selinux: fix style problems in security/selinux/include/audit.h
    (2024-09-03 18:54:38 -0400)

----------------------------------------------------------------
selinux/stable-6.12 PR 20240911
----------------------------------------------------------------

Canfeng Guo (1):
      selinux: Streamline type determination in security_compute_sid

Eric Suen (1):
      selinux: replace kmem_cache_create() with KMEM_CACHE()

Gaosheng Cui (1):
      selinux: refactor code to return ERR_PTR in
         selinux_netlbl_sock_genattr

Guido Trentalancia (1):
      selinux: mark both IPv4 and IPv6 accepted connection sockets as
         labeled

Paul Moore (1):
      selinux: fix style problems in security/selinux/include/audit.h

Stephen Smalley (1):
      selinux: annotate false positive data race to avoid KCSAN warnings

Zhen Lei (1):
      selinux: simplify avc_xperms_audit_required()

 security/selinux/avc.c           |   20 ++++---------
 security/selinux/hooks.c         |    7 ++++
 security/selinux/include/audit.h |   46 +++++++++++++++----------------
 security/selinux/netlabel.c      |   20 ++++++-------
 security/selinux/ss/avtab.c      |    7 +---
 security/selinux/ss/ebitmap.c    |    4 --
 security/selinux/ss/hashtab.c    |    4 --
 security/selinux/ss/services.c   |   36 ++++++++++++------------
 8 files changed, 68 insertions(+), 76 deletions(-)

--
paul-moore.com



More information about the Linux-security-module-archive mailing list