[GIT PULL] SELinux patches for v5.16

[Paul Moore <paul@paul-moore.com>]

Hi Linus,

Below is the SELinux pull request for v5.16 with a note about merge
conflicts following the highlight reel (you'll see something similar
on the audit pull request, and hopefully the io_uring and block/dm
trees but I have no idea if they track the LSM/audit work - likely
not).

** Highlights

- Add LSM/SELinux/Smack controls and auditing for io-uring.  As usual,
the individual commit descriptions have more detail, but we were
basically missing two things which we're adding here: establishment of
a proper audit context so that auditing of io-uring ops works
similarly to how it does for syscalls (with some io-uring additions
because io-uring ops are *not* syscalls), additional LSM hooks to
enable access control points for some of the more unusual io-uring
features, e.g. credential overrides.  The additional audit callouts
and LSM hooks were done in conjunction with the io-uring folks, based
on conversations and RFC patches earlier in the year.

- Fixup the binder credential handling so that the proper credentials
are used in the LSM hooks; the
commit description and the code comment which is removed in these
patches are helpful to understand the background and why this is the
proper fix.

- Enable SELinux genfscon policy support for securityfs, allowing
improved SELinux filesystem labeling for other subsystems which make
use of securityfs, e.g. IMA.

** Merge Notes

- I'm expecting three trees to add new audit record types during this
merge window: SELinux, block/device-mapper, and audit.  I've already
talked with the different maintainers and there shouldn't be any
duplicated values, but I expect you will see some merge conflicts in
include/uapi/linux/audit.h; the "correct" values should end up as:

  +#define AUDIT_URINGOP   1336 /* io_uring operation */
  +#define AUDIT_OPENAT2   1337 /* Record showing openat2 how args */
  +#define AUDIT_DM_CTRL   1338 /* Device Mapper target control */
  +#define AUDIT_DM_EVENT  1339 /* Device Mapper events */

- Based on your tree from this afternoon you will see a merge conflict
in fs/io-wq.c, but it's just an include collision, the fixup is
trivial.

- Based on your tree from this afternoon you will see a merge conflict
in fs/io_uring.c in the io_op_def struct definition; the fixup is also
pretty easy, just make sure the "audit_skip" field is added to the
struct.

Thanks,
-Paul

--
The following changes since commit 6880fa6c56601bb8ed59df6c30fd390cc5f6dd8f:

 Linux 5.15-rc1 (2021-09-12 16:28:37 -0700)

are available in the Git repository at:

 git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
   tags/selinux-pr-20211101

for you to fetch changes up to 15bf32398ad488c0df1cbaf16431422c87e4feea:

 security: Return xattr name from security_dentry_init_security()
   (2021-10-20 08:17:08 -0400)

----------------------------------------------------------------
selinux/stable-5.16 PR 20211101

----------------------------------------------------------------
Casey Schaufler (1):
     Smack: Brutalist io_uring support

Christian Göttsche (1):
     selinux: enable genfscon labeling for securityfs

Florian Westphal (1):
     selinux: remove unneeded ipv6 hook wrappers

Kees Cook (1):
     LSM: Avoid warnings about potentially unused hook variables

Ondrej Mosnacek (1):
     selinux: fix race condition when computing ocontext SIDs

Paul Moore (11):
     audit: prepare audit_context for use in calling contexts beyond syscalls
     audit,io_uring,io-wq: add some basic audit support to io_uring
     audit: add filtering for io_uring records
     fs: add anon_inode_getfile_secure() similar to anon_inode_getfd_secure()
     io_uring: convert io_uring to the secure anon inode interface
     lsm,io_uring: add LSM hooks to io_uring
     selinux: add support for the io_uring access controls
     selinux: remove the SELinux lockdown implementation
     selinux: make better use of the nf_hook_state passed to the NF hooks
     selinux: fix all of the W=1 build warnings
     selinux: fix a sock regression in selinux_ip_postroute_compat()

Todd Kjos (3):
     binder: use euid from cred instead of using task
     binder: use cred instead of task for selinux checks
     binder: use cred instead of task for getsecid

Vivek Goyal (1):
     security: Return xattr name from security_dentry_init_security()

drivers/android/binder.c            |  27 +--
drivers/android/binder_internal.h   |   4 +
fs/anon_inodes.c                    |  29 +++
fs/ceph/xattr.c                     |   3 +-
fs/io-wq.c                          |   4 +
fs/io_uring.c                       |  69 +++++-
fs/nfs/nfs4proc.c                   |   3 +-
include/linux/anon_inodes.h         |   4 +
include/linux/audit.h               |  26 ++
include/linux/lsm_hook_defs.h       |  22 +-
include/linux/lsm_hooks.h           |  30 ++-
include/linux/security.h            |  55 +++--
include/uapi/linux/audit.h          |   4 +-
kernel/audit.h                      |   7 +-
kernel/audit_tree.c                 |   3 +-
kernel/audit_watch.c                |   3 +-
kernel/auditfilter.c                |  15 +-
kernel/auditsc.c                    | 468 +++++++++++++++++++++++++-----
security/security.c                 |  35 ++-
security/selinux/avc.c              |  13 +-
security/selinux/hooks.c            | 239 +++++++-----------
security/selinux/include/classmap.h |   4 +-
security/selinux/netlabel.c         |   7 +-
security/selinux/netport.c          |   2 +-
security/selinux/ss/hashtab.c       |   1 +
security/selinux/ss/mls.c           |   4 +
security/selinux/ss/services.c      | 176 +++++++-------
security/smack/smack_lsm.c          |  46 ++++
28 files changed, 882 insertions(+), 421 deletions(-)

-- 
paul moore
www.paul-moore.com