[GIT PULL] lsm/lsm-pr-20250121
Paul Moore
paul at paul-moore.com
Tue Jan 21 23:40:10 UTC 2025
Linus,
Fifteen LSM framework patches for the v6.14 merge window, a summary is
below:
- Improved handling of LSM "secctx" strings through lsm_context struct
The LSM secctx string interface is from an older time when only one
LSM was supported, migrate over to the lsm_context struct to better
support the different LSMs we now have and make it easier to support
new LSMs in the future.
These changes explain the Rust, VFS, and networking changes in the
diffstat.
- Only build lsm_audit.c if CONFIG_SECURITY and CONFIG_AUDIT are enabled
Small tweak to be a bit smarter about when we build the LSM's common
audit helpers.
- Check for absurdly large policies from userspace in SafeSetID
SafeSetID policies rules are fairly small, basically just "UID:UID",
it easy to impose a limit of KMALLOC_MAX_SIZE on policy writes which
helps quiet a number of syzbot related issues. While work is being
done to address the syzbot issues through other mechanisms, this is
a trivial and relatively safe fix that we can do now.
- Various minor improvements and cleanups
A collection of improvements to the kernel selftests, constification
of some function parameters, removing redundant assignments, and local
variable renames to improve readability.
Paul
--
The following changes since commit 40384c840ea1944d7c5a392e8975ed088ecf0b37:
Linux 6.13-rc1 (2024-12-01 14:28:56 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git
tags/lsm-pr-20250121
for you to fetch changes up to 714d87c90a766e6917f7d69f618b864d350f09d3:
lockdown: initialize local array before use to quiet static analysis
(2025-01-05 12:48:43 -0500)
----------------------------------------------------------------
lsm/stable-6.14 PR 20250121
----------------------------------------------------------------
Alice Ryhl (1):
rust: replace lsm context+len with lsm_context
Amit Vadhavana (1):
selftests: refactor the lsm `flags_overset_lsm_set_self_attr` test
Casey Schaufler (7):
lsm: ensure the correct LSM context releaser
lsm: replace context+len with lsm_context
lsm: use lsm_context in security_inode_getsecctx
lsm: lsm_context in security_dentry_init_security
lsm: secctx provider check on release
binder: initialize lsm_context structure
net: corrections for security_secid_to_secctx returns
Christian Göttsche (2):
lsm: constify function parameters
lsm: rename variable to avoid shadowing
Colin Ian King (1):
security: remove redundant assignment to return variable
Leo Stone (1):
safesetid: check size of policy writes
Mickaël Salaün (1):
lsm: Only build lsm_audit.c if CONFIG_SECURITY and CONFIG_AUDIT
are set
Tanya Agarwal (1):
lockdown: initialize local array before use to quiet static
analysis
drivers/android/binder.c | 25 +---
fs/ceph/super.h | 3
fs/ceph/xattr.c | 12 -
fs/fuse/dir.c | 35 ++---
fs/nfs/nfs4proc.c | 22 ++-
fs/nfsd/nfs4xdr.c | 22 +--
include/linux/lsm_audit.h | 14 ++
include/linux/lsm_hook_defs.h | 13 --
include/linux/security.h | 37 +++---
include/net/scm.h | 12 -
kernel/audit.c | 33 ++---
kernel/auditsc.c | 27 +---
net/ipv4/ip_sockglue.c | 12 -
net/netfilter/nf_conntrack_netlink.c | 20 +--
net/netfilter/nf_conntrack_standalone.c | 11 -
net/netfilter/nfnetlink_queue.c | 26 ++--
net/netlabel/netlabel_unlabeled.c | 44 ++-----
net/netlabel/netlabel_user.c | 10 -
rust/helpers/security.c | 8 -
rust/kernel/security.rs | 38 ++----
security/Kconfig | 5
security/Makefile | 2
security/apparmor/include/secid.h | 7 -
security/apparmor/secid.c | 34 +++--
security/lockdown/lockdown.c | 2
security/lsm_audit.c | 8 -
security/safesetid/securityfs.c | 3
security/security.c | 67 ++++-------
security/selinux/hooks.c | 49 +++++---
security/smack/smack_lsm.c | 52 ++++----
tools/testing/selftests/lsm/lsm_set_self_attr_test.c | 7 -
31 files changed, 351 insertions(+), 309 deletions(-)
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list