From patchwork Mon Jun 26 21:28:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 113131 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp7775365vqr; Mon, 26 Jun 2023 14:51:06 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5sK0Jq2hVgcWvzx5PhYUE24UvjNQw12wnSzmqNxz6tiR0XrAS/lgbwn+tUTcRZ1D6sEJO5 X-Received: by 2002:a17:903:2312:b0:1b8:1335:b775 with SMTP id d18-20020a170903231200b001b81335b775mr2026106plh.0.1687816265683; Mon, 26 Jun 2023 14:51:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687816265; cv=none; d=google.com; s=arc-20160816; b=zU4UlXuADE/uiI9X8PCCH5zwyDi62TxsEmcMmMqfoFWr1trh0Am5ugPEUqP0VWNuaN jRIMiKgWRoBGORKjAzl5991J/8nDtThn9Y2EVLxxewNvWvHCBg2qiP1t4TS7fllsAEX0 V+Jca1W6oppZU7yhmWyEuPqqm1PaY6oVUjYiGUeKbFVNVt+bgZZpKid3An9iTt+2MAnW uBhoUR6WAs1veWd50g22zGFhDpOpYB9rboRRAchHGSYQk1DqfAb/SwhJYKECKntneaQM hSq7/6okojIbAZ7lh7/epFX1N0IW1wGXoMP89CDt9IfPfBg2769CnIUtamzgUiNL0bCK sa0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:mime-version:dkim-signature; bh=7CQ4hwJhKjIW7SikA2WYgmCLn8qhE0eQEFFM44s3DEg=; fh=AzRzvaIlPqcBnslMS55IbCctQ+N0XeI+YqSYwCBYzM0=; b=BQvA/WhlU81+Ai8A6O7pLwJM+JQNjOfI8uq4/aRmWo+/piLbBmvEMvMfIZy/pTWbE3 3ZnSf3UFYkxhZTZvGKsHfObAxtxiGlBgmFJUCX/ggHtSLmi3h2SJ8w1PB6PzQhT+23aN YesnF3pvrVbBVa1J5/M/plAlIsQ0rK9AmGzVRkSQNb3JGMU84dw97RiWdFLBb2bSf+SG S+oqVvk3B09zKjwZpFk/E657DN4omirE8VUbfqAvqMG7Noug6VaQZkeW/UF+qdWDYcJg o73pJP74q6gfhyRbww0YhUcHgkvpVi+DDmy3EapPZ90VgKDkF4HE/BWBKmQ0jx7qPWZS xEAA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b="P1/AFGL4"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u18-20020a17090341d200b001b3cf975c79si6049643ple.563.2023.06.26.14.50.53; Mon, 26 Jun 2023 14:51:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b="P1/AFGL4"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230418AbjFZV2a (ORCPT + 99 others); Mon, 26 Jun 2023 17:28:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33060 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229763AbjFZV23 (ORCPT ); Mon, 26 Jun 2023 17:28:29 -0400 Received: from mail-yb1-xb29.google.com (mail-yb1-xb29.google.com [IPv6:2607:f8b0:4864:20::b29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2C56AC5 for ; Mon, 26 Jun 2023 14:28:26 -0700 (PDT) Received: by mail-yb1-xb29.google.com with SMTP id 3f1490d57ef6-bcb6dbc477eso2426713276.1 for ; Mon, 26 Jun 2023 14:28:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1687814906; x=1690406906; h=content-transfer-encoding:cc:to:subject:message-id:date:from :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7CQ4hwJhKjIW7SikA2WYgmCLn8qhE0eQEFFM44s3DEg=; b=P1/AFGL4fwDDqWVyfiMDCTW9OrnM409YOha4aAGa5T3/plje1K9hsiYLKew+GyCKoV WIYo+x9YoXM1j0A7CaRqgC1qTMLj7Ef3IeG/OAOKGN2EQvv7RHtSHEIRPYfFOKBFUg7V TzEDVQmrkExxM8eCa33xtXUtSzQ8R76qwDl9OL6C6cG0m1ltQNG91CBTeIfnudi7WPlU rPA0AZIa4tByoT0X+Edze4AhDE6g/Krso7Nean85RFzp3k70AUOKjiONHcUvSmBzz//x gw3biuPP0HVXovg92jtKt41l/JZuWhkXqGej3UR65+OqJNeDej/il93teRH5p2a/6lRt MUfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687814906; x=1690406906; h=content-transfer-encoding:cc:to:subject:message-id:date:from :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7CQ4hwJhKjIW7SikA2WYgmCLn8qhE0eQEFFM44s3DEg=; b=B/AEIHL2eYC8dOW69RqRvBvsJSoL5bIux0YtitgdGAymXpVw4ntm87rdcdi8qBV0ej D+4fSTGvFOmhGamTtzrnROoAqikuR1Z+dokUixuV12Xgd9daqs9s2tzNk98P11clJBcz cB/v3au+c3IAY9VZkVTvPnuJUTi19bwjCTaFiyEK04fyu4Af0NBcxLv42jkR4h/nZ2b2 l4xJUYvGiu2E09ufequG9aAp81rYL19t0BxMB7scfr5Pqfge+KYTGgH/4JAuFttw13yR Kz4S1HK+5psEYGPEln0W8zi3//UIPInT1wBDPBbDAYILZbPwAoiYXVKJtdnRipvkf/Jx j+8w== X-Gm-Message-State: AC+VfDx4w+knI2PJYQ0a9qhwMGwi6LfH+gpXCt5n6EDyOjNkqLj9zlY5 tXDSK1+MhyncQDO2fnLkEX0pivL9SR6TExDpvVSq X-Received: by 2002:a0d:df4a:0:b0:570:7b4d:f694 with SMTP id i71-20020a0ddf4a000000b005707b4df694mr22567386ywe.3.1687814906155; Mon, 26 Jun 2023 14:28:26 -0700 (PDT) MIME-Version: 1.0 From: Paul Moore Date: Mon, 26 Jun 2023 17:28:15 -0400 Message-ID: Subject: [GIT PULL] SELinux patches for v6.5 To: Linus Torvalds Cc: selinux@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1769803628498247097?= X-GMAIL-MSGID: =?utf-8?q?1769803628498247097?= Hi Linus, We've got a number of SELinux patches for v6.5, but nothing too scary. It is worth mentioning that there is a minor merge conflict in security/selinux/Makefile (due to the quick fix sent during the v6.4-rcX cycle); the proper way to resolve the conflict is to simply take the version in this pull request. Here is a quick summary of the changes: - Thanks to help from the MPTCP folks, it looks like we have finally sorted out a proper solution to the MPTCP socket labeling issue, see the new security_mptcp_add_subflow() LSM hook. - Fix the labeled NFS handling such that a labeled NFS share mounted prior to the initial SELinux policy load is properly labeled once a policy is loaded; more information in the commit description. - Two patches to security/selinux/Makefile, the first took the cleanups in v6.4 a bit further and the second removed the grouped targets support as that functionality doesn't appear to be properly supported prior to make v4.3. - Deprecate the "fs" object context type in SELinux policies. The fs object context type was an old vestige that was introduced back in v2.6.12-rc2 but never really used. - A number of small changes that remove dead code, clean up some awkward bits, and generally improve the quality of the code. See the individual commit descriptions for more information. Thanks, -Paul --- The following changes since commit ac9a78681b921877518763ba0e89202254349d1b: Linux 6.4-rc1 (2023-05-07 13:34:35 -0700) are available in the Git repository at: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git tags/selinux-pr-20230626 for you to fetch changes up to 447a5688005e5b789633bd080016517a08f9fd8d: selinux: avoid bool as identifier name (2023-06-05 17:04:01 -0400) ---------------------------------------------------------------- selinux/stable-6.5 PR 20230626 ---------------------------------------------------------------- Christian Göttsche (10): selinux: do not leave dangling pointer behind selinux: adjust typos in comments selinux: avc: drop unused function avc_disable() selinux: drop return at end of void function avc_insert() selinux: retain const qualifier on string literal in avtab_hash_eval() selinux: declare read-only data arrays const selinux: keep context struct members in sync selinux: make header files self-including selinux: deprecated fs ocon selinux: avoid bool as identifier name Ondrej Mosnacek (1): selinux: make labeled NFS work when mounted before policy load Paolo Abeni (2): security, lsm: Introduce security_mptcp_add_subflow() selinux: Implement mptcp_add_subflow hook Paul Moore (3): selinux: more Makefile tweaks selinux: small cleanups in selinux_audit_rule_init() selinux: fix Makefile for versions of make < v4.3 Xiu Jianfeng (1): selinux: cleanup exit_sel_fs() declaration include/linux/lsm_hook_defs.h | 1 + include/linux/security.h | 6 ++ net/mptcp/subflow.c | 6 ++ security/security.c | 17 ++++++ security/selinux/Makefile | 28 ++++++--- security/selinux/avc.c | 20 ------ security/selinux/hooks.c | 78 +++++++++++++++----- security/selinux/ima.c | 2 +- security/selinux/include/audit.h | 2 +- security/selinux/include/avc.h | 3 - security/selinux/include/ibpkey.h | 1 + security/selinux/include/ima.h | 2 +- security/selinux/include/initial_sid_to_string.h | 3 + security/selinux/include/security.h | 2 +- security/selinux/netlabel.c | 8 ++- security/selinux/selinuxfs.c | 4 +- security/selinux/ss/avtab.c | 2 +- security/selinux/ss/avtab.h | 2 +- security/selinux/ss/conditional.c | 8 +-- security/selinux/ss/conditional.h | 2 +- security/selinux/ss/context.h | 2 + security/selinux/ss/policydb.c | 6 +- security/selinux/ss/policydb.h | 2 +- security/selinux/ss/services.c | 40 ++++++------ 24 files changed, 158 insertions(+), 89 deletions(-)