mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-06 05:02:31 +00:00
9f9310bf87
-----BEGIN PGP SIGNATURE----- iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAmWYKRAUHHBhdWxAcGF1 bC1tb29yZS5jb20ACgkQ6iDy2pc3iXPC8RAAnIEfN9baTj2LAO6EvUJ6MB0s8Ibs 7GDVXeqjE7JPizK3kYoO2N+PhUBrAXV0NfowHnT6Kbg6UrbA37+YSX0BcQS0qJsA e+KYFRdf+H0ERn+y4v04y2VuPt4kbi3eDRLrvDFTPZS6LbPcz629N+3/p+v9Lf5A nHTVzvqnReCjP8HnCSzSXzmZ/kIqa1tsmxx55JZL2zPnJO5/oA0Ne6hNsn1K5bqa RTvS7GTITvFgMvGjsgrWM/TfIdcis9rRjXySpVEXRAtfTFNH1n/hpV6pJKe2Inxc Jf6xIl4whQNX2ITDESa7GjRa5Vq2INeX3UJrH/pattp9I1YYjbeZPj6At8JxbrCG TUodKRSfoHrukEqSRQtoaEv9ZQr7HFJsD45u3ybKWbR7hi91IC9lt1oL7g1lyp2Z SC3LglNOzPW8DvhXIS8DPFVX5S+Ackq10pR5WNeVjVNHqYJ+4HheOM0YnFiN9ulJ P0q9U9sKWyotbfTEUijWVNInvDs3P0y5rLV8ozVQ1NV8huLJTaMwJL+wfAA7wcGK iAtJvRKoHrB3lTWp7p1E+LhZMj8fh7VtA180c1uC1LdXISWN2hkvmjfV4t2u90Ul b87Cimz2XrVqaBrdkiqYvsTwtnyrImR7KPv8HFLlQmf4XVAx2NNSkAjv0fJvj+2T KQXvdvrI7cZpgeM= =GzYW -----END PGP SIGNATURE----- Merge tag 'selinux-pr-20240105' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux Pull selinux updates from Paul Moore: - Add a new SELinux initial SID, SECINITSID_INIT, to represent userspace processes started before the SELinux policy is loaded in early boot. Prior to this patch all processes were marked as SECINITSID_KERNEL before the SELinux policy was loaded, making it difficult to distinquish early boot userspace processes from the kernel in the SELinux policy. For most users this will be a non-issue as the policy is loaded early enough during boot, but for users who load their SELinux policy relatively late, this should make it easier to construct meaningful security policies. - Cleanups to the selinuxfs code by Al, mostly on VFS related issues during a policy reload. The commit description has more detail, but the quick summary is that we are replacing a disconnected directory approach with a temporary directory that we swapover at the end of the reload. - Fix an issue where the input sanity checking on socket bind() operations was slightly different depending on the presence of SELinux. This is caused by the placement of the LSM hooks in the generic socket layer as opposed to the protocol specific bind() handler where the protocol specific sanity checks are performed. Mickaël has mentioned that he is working to fix this, but in the meantime we just ensure that we are replicating the checks properly. We need to balance the placement of the LSM hooks with the number of LSM hooks; pushing the hooks down into the protocol layers is likely not the right answer. - Update the avc_has_perm_noaudit() prototype to better match the function definition. - Migrate from using partial_name_hash() to full_name_hash() the filename transition hash table. This improves the quality of the code and has the potential for a minor performance bump. - Consolidate some open coded SELinux access vector comparisions into a single new function, avtab_node_cmp(), and use that instead. A small, but nice win for code quality and maintainability. - Updated the SELinux MAINTAINERS entry with additional information around process, bug reporting, etc. We're also updating some of our "official" roles: dropping Eric Paris and adding Ondrej as a reviewer. - Cleanup the coding style crimes in security/selinux/include. While I'm not a fan of code churn, I am pushing for more automated code checks that can be done at the developer level and one of the obvious things to check for is coding style. In an effort to start from a "good" base I'm slowly working through our source files cleaning them up with the help of clang-format and good ol' fashioned human eyeballs; this has the first batch of these changes. I've been splitting the changes up per-file to help reduce the impact if backports are required (either for LTS or distro kernels), and I expect the some of the larger files, e.g. hooks.c and ss/services.c, will likely need to be split even further. - Cleanup old, outdated comments. * tag 'selinux-pr-20240105' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: (24 commits) selinux: Fix error priority for bind with AF_UNSPEC on PF_INET6 socket selinux: fix style issues in security/selinux/include/initial_sid_to_string.h selinux: fix style issues in security/selinux/include/xfrm.h selinux: fix style issues in security/selinux/include/security.h selinux: fix style issues with security/selinux/include/policycap_names.h selinux: fix style issues in security/selinux/include/policycap.h selinux: fix style issues in security/selinux/include/objsec.h selinux: fix style issues with security/selinux/include/netlabel.h selinux: fix style issues in security/selinux/include/netif.h selinux: fix style issues in security/selinux/include/ima.h selinux: fix style issues in security/selinux/include/conditional.h selinux: fix style issues in security/selinux/include/classmap.h selinux: fix style issues in security/selinux/include/avc_ss.h selinux: align avc_has_perm_noaudit() prototype with definition selinux: fix style issues in security/selinux/include/avc.h selinux: fix style issues in security/selinux/include/audit.h MAINTAINERS: drop Eric Paris from his SELinux role MAINTAINERS: add Ondrej Mosnacek as a SELinux reviewer selinux: remove the wrong comment about multithreaded process handling selinux: introduce an initial SID for early boot processes ... |
||
|---|---|---|
| .. | ||
| include | ||
| ss | ||
| .gitignore | ||
| avc.c | ||
| hooks.c | ||
| ibpkey.c | ||
| ima.c | ||
| Kconfig | ||
| Makefile | ||
| netif.c | ||
| netlabel.c | ||
| netlink.c | ||
| netnode.c | ||
| netport.c | ||
| nlmsgtab.c | ||
| selinuxfs.c | ||
| status.c | ||
| xfrm.c | ||