Linux-Security-Module Archive on lore.kernel.org
 help / color / Atom feed
From: Paul Moore <paul@paul-moore.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: selinux@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: [GIT PULL] SELinux patches for v5.4
Date: Tue, 17 Sep 2019 15:38:05 -0400
Message-ID: <CAHC9VhT1n=zwWJRSqF+OLzQq2r_8Bf0TjO-1QEe3yfLHAnomfA@mail.gmail.com> (raw)

Hi Linus,

Eight SELinux patches for v5.4, the highlights are listed below and
all pass the selinux-testsuite, please merge for v5.4.

- Add LSM hooks, and SELinux access control hooks, for dnotify,
fanotify, and inotify watches.  This has been discussed with both the
LSM and fs/notify folks and everybody is good with these new hooks.

- The LSM stacking changes missed a few calls to current_security() in
the SELinux code; we fix those and remove current_security() for good.

- Improve our network object labeling cache so that we always return
the object's label, even when under memory pressure.  Previously we
would return an error if we couldn't allocate a new cache entry, now
we always return the label even if we can't create a new cache entry
for it.

- Convert the sidtab atomic_t counter to a normal u32 with
READ/WRITE_ONCE() and memory barrier protection.

- A few patches to policydb.c to clean things up (remove forward
declarations, long lines, bad variable names, etc.).

Thanks,
-Paul

--
The following changes since commit 45385237f65aeee73641f1ef737d7273905a233f:

 selinux: fix memory leak in policydb_init() (2019-07-31 16:51:23 -0400)

are available in the Git repository at:

 git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
   tags/selinux-pr-20190917

for you to fetch changes up to 15322a0d90b6fd62ae8f22e5b87f735c3fdfeff7:

 lsm: remove current_security() (2019-09-04 18:53:39 -0400)

----------------------------------------------------------------
selinux/stable-5.4 PR 20190917

----------------------------------------------------------------
Aaron Goidel (1):
     fanotify, inotify, dnotify, security: add security hook for fs
       notifications

Ondrej Mosnacek (3):
     selinux: policydb - fix some checkpatch.pl warnings
     selinux: policydb - rename type_val_to_struct_array
     selinux: avoid atomic_t usage in sidtab

Paul Moore (3):
     selinux: shuffle around policydb.c to get rid of forward declarations
     selinux: always return a secid from the network caches if we find one
     lsm: remove current_security()

Stephen Smalley (1):
     selinux: fix residual uses of current_security() for the SELinux blob

fs/notify/dnotify/dnotify.c         |  15 +-
fs/notify/fanotify/fanotify_user.c  |  19 +-
fs/notify/inotify/inotify_user.c    |  14 +-
include/linux/cred.h                |   1 -
include/linux/lsm_hooks.h           |   9 +-
include/linux/security.h            |  10 +-
security/security.c                 |   6 +
security/selinux/hooks.c            |  49 ++++-
security/selinux/include/classmap.h |   5 +-
security/selinux/include/objsec.h   |  20 +-
security/selinux/netif.c            |  31 ++-
security/selinux/netnode.c          |  30 ++-
security/selinux/netport.c          |  24 +--
security/selinux/ss/policydb.c      | 402 +++++++++++++++---------------
security/selinux/ss/policydb.h      |   2 +-
security/selinux/ss/services.c      |   6 +-
security/selinux/ss/sidtab.c        |  48 ++---
security/selinux/ss/sidtab.h        |  19 +-
18 files changed, 403 insertions(+), 307 deletions(-)

-- 
paul moore
www.paul-moore.com

             reply index

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-17 19:38 Paul Moore [this message]
2019-09-23 19:05 ` pr-tracker-bot

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAHC9VhT1n=zwWJRSqF+OLzQq2r_8Bf0TjO-1QEe3yfLHAnomfA@mail.gmail.com' \
    --to=paul@paul-moore.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=selinux@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org
	public-inbox-index linux-security-module

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git