linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [GIT PULL] SELinux patches for v5.11
@ 2020-12-15  2:18 Paul Moore
  2020-12-16 19:44 ` pr-tracker-bot
  0 siblings, 1 reply; 2+ messages in thread
From: Paul Moore @ 2020-12-15  2:18 UTC (permalink / raw)
  To: Linus Torvalds; +Cc: selinux, linux-security-module, linux-kernel

Hi Linus,

While we have a small number of SELinux patches for v5.11, there are a
few changes worth highlighting:

- Change the LSM network hooks to pass flowi_common structs instead of
the parent flowi struct as the LSMs do not currently need the full
flowi struct and they do not have enough information to use it safely
(missing information on the address family).  This patch was discussed
both with Herbert Xu (representing team netdev) and James Morris
(representing team LSMs-other-than-SELinux).

- Fix how we handle errors in inode_doinit_with_dentry() so that we
attempt to properly label the inode on following lookups instead of
continuing to treat it as unlabeled.

- Tweak the kernel logic around allowx, auditallowx, and dontauditx
SELinux policy statements such that the auditx/dontauditx are
effective even without the allowx statement.

Everything passes our test suite and as of an hour or two ago it
applies cleanly to your tree; please merge for v5.11.

Thanks,
-Paul

--
The following changes since commit 3650b228f83adda7e5ee532e2b90429c03f7b9ec:

 Linux 5.10-rc1 (2020-10-25 15:14:11 -0700)

are available in the Git repository at:

 git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
   tags/selinux-pr-20201214

for you to fetch changes up to 3df98d79215ace13d1e91ddfc5a67a0f5acbd83f:

 lsm,selinux: pass flowi_common instead of flowi to the LSM hooks
   (2020-11-23 18:36:21 -0500)

----------------------------------------------------------------
selinux/stable-5.11 PR 20201214

----------------------------------------------------------------
Gustavo A. R. Silva (1):
     selinux: Fix fall-through warnings for Clang

Ondrej Mosnacek (1):
     selinux: drop super_block backpointer from superblock_security_struct

Paul Moore (2):
     selinux: fix inode_doinit_with_dentry() LABEL_INVALID error handling
     lsm,selinux: pass flowi_common instead of flowi to the LSM hooks

Tianyue Ren (1):
     selinux: fix error initialization in inode_doinit_with_dentry()

bauen1 (1):
     selinux: allow dontauditx and auditallowx rules to take effect without
       allowx

.../chelsio/inline_crypto/chtls/chtls_cm.c         |  2 +-
drivers/net/wireguard/socket.c                     |  4 ++--
include/linux/lsm_hook_defs.h                      |  4 ++--
include/linux/lsm_hooks.h                          |  2 +-
include/linux/security.h                           | 23 +++++++++-------
include/net/flow.h                                 | 10 +++++++++
include/net/route.h                                |  6 ++---
net/dccp/ipv4.c                                    |  2 +-
net/dccp/ipv6.c                                    |  6 ++---
net/ipv4/icmp.c                                    |  4 ++--
net/ipv4/inet_connection_sock.c                    |  4 ++--
net/ipv4/ip_output.c                               |  2 +-
net/ipv4/ping.c                                    |  2 +-
net/ipv4/raw.c                                     |  2 +-
net/ipv4/syncookies.c                              |  2 +-
net/ipv4/udp.c                                     |  2 +-
net/ipv6/af_inet6.c                                |  2 +-
net/ipv6/datagram.c                                |  2 +-
net/ipv6/icmp.c                                    |  6 ++---
net/ipv6/inet6_connection_sock.c                   |  4 ++--
net/ipv6/netfilter/nf_reject_ipv6.c                |  2 +-
net/ipv6/ping.c                                    |  2 +-
net/ipv6/raw.c                                     |  2 +-
net/ipv6/syncookies.c                              |  2 +-
net/ipv6/tcp_ipv6.c                                |  4 ++--
net/ipv6/udp.c                                     |  2 +-
net/l2tp/l2tp_ip6.c                                |  2 +-
net/netfilter/nf_synproxy_core.c                   |  2 +-
net/xfrm/xfrm_state.c                              |  6 +++--
security/security.c                                | 17 +++++++-------
security/selinux/hooks.c                           | 26 ++++++++++++------
security/selinux/include/objsec.h                  |  1 -
security/selinux/include/xfrm.h                    |  2 +-
security/selinux/ss/services.c                     |  4 +---
security/selinux/xfrm.c                            | 13 ++++++-----
35 files changed, 101 insertions(+), 77 deletions(-)

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [GIT PULL] SELinux patches for v5.11
  2020-12-15  2:18 [GIT PULL] SELinux patches for v5.11 Paul Moore
@ 2020-12-16 19:44 ` pr-tracker-bot
  0 siblings, 0 replies; 2+ messages in thread
From: pr-tracker-bot @ 2020-12-16 19:44 UTC (permalink / raw)
  To: Paul Moore; +Cc: Linus Torvalds, selinux, linux-security-module, linux-kernel

The pull request you sent on Mon, 14 Dec 2020 21:18:20 -0500:

> git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git tags/selinux-pr-20201214

has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/ca5b877b6ccc7b989614f3f541e9a1fe2ff7f75a

Thank you!

-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/prtracker.html

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-12-16 19:45 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-15  2:18 [GIT PULL] SELinux patches for v5.11 Paul Moore
2020-12-16 19:44 ` pr-tracker-bot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).