[GIT PULL] selinux/selinux-pr-20250121
Paul Moore
paul at paul-moore.com
Tue Jan 21 23:40:24 UTC 2025
Linus,
A lucky 13 SELinux patches for the v6.14 merge window, the summary is
below:
- Extended permissions supported in conditional policy
The SELinux extended permissions, aka "xperms", allow security admins
to target individuals ioctls, and recently netlink messages, with
their SELinux policy. Adding support for conditional policies allows
admins to toggle the granular xperms using SELinux booleans, helping
pave the way for greater use of xperms in general purpose SELinux
policies. This change bumps the maximum SELinux policy version to 34.
- Fix a SCTP/SELinux error return code inconsistency
Depending on the loaded SELinux policy, specifically it's EXTSOCKCLASS
support, the bind(2) LSM/SELinux hook could return different error
codes due to the SELinux code checking the socket's SELinux object
class (which can vary depending on EXTSOCKCLASS) and not the socket's
sk_protocol field. We fix this by doing the obvious, and looking at
the sock->sk_protocol field instead of the object class.
- Makefile fixes to properly cleanup av_permissions.h
Add av_permissions.h to "targets" so that it is properly cleaned up
using the kbuild infrastructure.
- A number of smaller improvements by Christian Göttsche
A variety of straightforward changes to reduce code duplication,
reduce pointer lookups, migrate void pointers to defined types,
simplify code, constify function parameters, and correct
iterator types.
--
The following changes since commit 40384c840ea1944d7c5a392e8975ed088ecf0b37:
Linux 6.13-rc1 (2024-12-01 14:28:56 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
tags/selinux-pr-20250121
for you to fetch changes up to 01c2253a0fbdccb58cd79d4ff9ab39964bfb4474:
selinux: make more use of str_read() when loading the policy
(2025-01-07 23:14:40 -0500)
----------------------------------------------------------------
selinux/stable-6.14 PR 20250121
----------------------------------------------------------------
Christian Göttsche (10):
selinux: use native iterator types
selinux: add support for xperms in conditional policies
selinux: supply missing field initializers
selinux: avoid using types indicating user space interaction
selinux: constify and reconcile function parameter names
selinux: rework match_ipv6_addrmask()
selinux: rename comparison functions for clarity
selinux: use known type instead of void pointer
selinux: avoid unnecessary indirection in struct level_datum
selinux: make more use of str_read() when loading the policy
Mikhail Ivanov (1):
selinux: Fix SCTP error inconsistency in selinux_socket_bind()
Thiébaud Weksteen (1):
selinux: add netlink nlmsg_type audit message
Thomas Weißschuh (1):
selinux: add generated av_permissions.h to targets
include/linux/lsm_audit.h | 2
security/lsm_audit.c | 3
security/selinux/Makefile | 7 -
security/selinux/hooks.c | 10 -
security/selinux/include/classmap.h | 2
security/selinux/include/conditional.h | 2
security/selinux/include/security.h | 7 -
security/selinux/selinuxfs.c | 4
security/selinux/ss/avtab.c | 19 ++-
security/selinux/ss/avtab.h | 13 +-
security/selinux/ss/conditional.c | 24 +---
security/selinux/ss/conditional.h | 6 -
security/selinux/ss/context.c | 2
security/selinux/ss/context.h | 14 +-
security/selinux/ss/ebitmap.c | 12 +-
security/selinux/ss/ebitmap.h | 7 -
security/selinux/ss/mls.c | 6 -
security/selinux/ss/mls_types.h | 2
security/selinux/ss/policydb.c | 135 +++++++++++--------------
security/selinux/ss/policydb.h | 22 ++--
security/selinux/ss/services.c | 30 ++---
security/selinux/ss/sidtab.c | 6 -
22 files changed, 170 insertions(+), 165 deletions(-)
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list