archive mirror
 help / color / mirror / Atom feed
From: Paul Moore <>
To: Linus Torvalds <>
Subject: [GIT PULL] SELinux patches for v5.6
Date: Mon, 27 Jan 2020 17:26:18 -0500	[thread overview]
Message-ID: <> (raw)

Hi Linus,

This is one of the bigger SELinux pull requests in recent years with
28 patches.  Everything is passing our test suite and the highlights
are listed below, please merge them for v5.6.

- Mark CONFIG_SECURITY_SELINUX_DISABLE as deprecated.  We're some time
away from actually attempting to remove this in the kernel, but the
only distro we know that still uses it (Fedora) is working on moving
away from this so we want to at least let people know we are planning
to remove it.

- Reorder the SELinux hooks to help prevent bad things when SELinux is
disabled at runtime.  The proper fix is to remove the
CONFIG_SECURITY_SELINUX_DISABLE functionality (see above) and just
take care of it at boot time (e.g. "selinux=0").

- Add SELinux controls for the kernel lockdown functionality,
introducing a new SELinux class/permissions: "lockdown { integrity
confidentiality }".

- Add a SELinux control for move_mount(2) that reuses the "file {
mounton }" permission.

- Improvements to the SELinux security label data store lookup
functions to speed up translations between our internal label
representations and the visible string labels (both directions).

- Revisit a previous fix related to SELinux inode auditing and
permission caching and do it correctly this time.

- Fix the SELinux access decision cache to cleanup properly on error.
In some extreme cases this could limit the cache size and result in a
decrease in performance.

- Enable SELinux per-file labeling for binderfs.

- The SELinux initialized and disabled flags were wrapped with
accessors to ensure they are accessed correctly.

- Mark several key SELinux structures with __randomize_layout.

- Changes to the LSM build configuration to only build
security/lsm_audit.c when needed.

- Changes to the SELinux build configuration to only build the IB
object cache when CONFIG_SECURITY_INFINIBAND is enabled.

- Move a number of single-caller functions into their callers.

- Documentation fixes (/selinux -> /sys/fs/selinux).

- A handful of cleanup patches that aren't worth mentioning on their
own, the individual descriptions have plenty of detail.


The following changes since commit e42617b825f8073569da76dc4510bfa019b1c35a:

 Linux 5.5-rc1 (2019-12-08 14:57:55 -0800)

are available in the Git repository at:


for you to fetch changes up to 98aa00345de54b8340dc2ddcd87f446d33387b5e:

 selinux: fix regression introduced by move_mount(2) syscall
   (2020-01-20 07:42:37 -0500)

selinux/stable-5.6 PR 20200127

Hridya Valsaraju (1):
     selinux: allow per-file labelling for binderfs

Huaisheng Ye (2):
     selinux: remove redundant msg_msg_alloc_security
     selinux: remove redundant selinux_nlmsg_perm

Jaihind Yadav (1):
     selinux: ensure we cleanup the internal AVC counters on error in

Jeff Vander Stoep (1):
     selinux: sidtab reverse lookup hash table

Ondrej Mosnacek (5):
     selinux: cache the SID -> context string translation
     selinux: treat atomic flags more carefully
     selinux: reorder hooks to make runtime disable less broken
     selinux: fix wrong buffer types in policydb.c
     selinux: do not allocate ancillary buffer on first load

Paul Moore (4):
     selinux: ensure we cleanup the internal AVC counters on error in
     selinux: ensure the policy has been loaded before reading the sidtab stats
     selinux: deprecate disabling SELinux and runtime
     selinux: remove redundant allocation and helper functions

Ravi Kumar Siddojigari (1):
     selinux: move ibpkeys code under CONFIG_SECURITY_INFINIBAND.

Stephen Smalley (10):
     security,lockdown,selinux: implement SELinux lockdown
     selinux: revert "stop passing MAY_NOT_BLOCK to the AVC upon follow_link"
     selinux: fall back to ref-walk if audit is required
     selinux: clean up selinux_inode_permission MAY_NOT_BLOCK tests
     security: only build lsm_audit if CONFIG_SECURITY=y
     selinux: clean up selinux_enabled/disabled/enforcing_boot
     selinux: randomize layout of key structures
     Documentation,selinux: fix references to old selinuxfs mount point
     selinux: make default_noexec read-only after init
     selinux: fix regression introduced by move_mount(2) syscall

Yang Guo (1):
     selinux: remove unnecessary selinux cred request

YueHaibing (1):
     selinux: remove set but not used variable 'sidtab'

liuyang34 (1):
     selinuxfs: use scnprintf to get real length for inode

Documentation/ABI/obsolete/sysfs-selinux-disable |  26 ++
Documentation/admin-guide/kernel-parameters.txt  |   9 +-
MAINTAINERS                                      |   1 +
include/linux/lsm_audit.h                        |   2 +
include/linux/security.h                         |   2 +
security/Makefile                                |   2 +-
security/lockdown/lockdown.c                     |  27 --
security/lsm_audit.c                             |   5 +
security/security.c                              |  33 ++
security/selinux/Kconfig                         |  33 +-
security/selinux/Makefile                        |   4 +-
security/selinux/avc.c                           |  95 +++---
security/selinux/hooks.c                         | 388 ++++++++++--------
security/selinux/ibpkey.c                        |   2 +-
security/selinux/include/avc.h                   |  13 +-
security/selinux/include/classmap.h              |   2 +
security/selinux/include/ibpkey.h                |  13 +-
security/selinux/include/objsec.h                |   2 +-
security/selinux/include/security.h              |  40 ++-
security/selinux/netif.c                         |   2 +-
security/selinux/netnode.c                       |   2 +-
security/selinux/netport.c                       |   2 +-
security/selinux/selinuxfs.c                     |  87 ++++-
security/selinux/ss/context.h                    |  11 +-
security/selinux/ss/policydb.c                   |   9 +-
security/selinux/ss/policydb.h                   |   2 +-
security/selinux/ss/services.c                   | 312 +++++++++++-------
security/selinux/ss/services.h                   |   6 +-
security/selinux/ss/sidtab.c                     | 402 ++++++++++++-------
security/selinux/ss/sidtab.h                     |  70 +++-
30 files changed, 1045 insertions(+), 559 deletions(-)
create mode 100644 Documentation/ABI/obsolete/sysfs-selinux-disable

paul moore

             reply	other threads:[~2020-01-27 22:26 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-27 22:26 Paul Moore [this message]
2020-01-27 23:55 ` [GIT PULL] SELinux patches for v5.6 pr-tracker-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).