mbox series

[GIT,PULL] lsm/lsm-pr-20250121

Message ID da749e8ed1a18e2b14d9337a78749b15@paul-moore.com (mailing list archive)
State New
Headers show
Series [GIT,PULL] lsm/lsm-pr-20250121 | expand

Pull-request

https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git tags/lsm-pr-20250121

Message

Paul Moore Jan. 21, 2025, 11:40 p.m. UTC 
Linus,

Fifteen LSM framework patches for the v6.14 merge window, a summary is
below:

- Improved handling of LSM "secctx" strings through lsm_context struct

  The LSM secctx string interface is from an older time when only one
  LSM was supported, migrate over to the lsm_context struct to better
  support the different LSMs we now have and make it easier to support
  new LSMs in the future.
  
  These changes explain the Rust, VFS, and networking changes in the
  diffstat.

- Only build lsm_audit.c if CONFIG_SECURITY and CONFIG_AUDIT are enabled

  Small tweak to be a bit smarter about when we build the LSM's common
  audit helpers.

- Check for absurdly large policies from userspace in SafeSetID

  SafeSetID policies rules are fairly small, basically just "UID:UID",
  it easy to impose a limit of KMALLOC_MAX_SIZE on policy writes which
  helps quiet a number of syzbot related issues.  While work is being
  done to address the syzbot issues through other mechanisms, this is
  a trivial and relatively safe fix that we can do now.

- Various minor improvements and cleanups

  A collection of improvements to the kernel selftests, constification
  of some function parameters, removing redundant assignments, and local
  variable renames to improve readability.

Paul

--
The following changes since commit 40384c840ea1944d7c5a392e8975ed088ecf0b37:

  Linux 6.13-rc1 (2024-12-01 14:28:56 -0800)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git
    tags/lsm-pr-20250121

for you to fetch changes up to 714d87c90a766e6917f7d69f618b864d350f09d3:

  lockdown: initialize local array before use to quiet static analysis
    (2025-01-05 12:48:43 -0500)

----------------------------------------------------------------
lsm/stable-6.14 PR 20250121
----------------------------------------------------------------

Alice Ryhl (1):
      rust: replace lsm context+len with lsm_context

Amit Vadhavana (1):
      selftests: refactor the lsm `flags_overset_lsm_set_self_attr` test

Casey Schaufler (7):
      lsm: ensure the correct LSM context releaser
      lsm: replace context+len with lsm_context
      lsm: use lsm_context in security_inode_getsecctx
      lsm: lsm_context in security_dentry_init_security
      lsm: secctx provider check on release
      binder: initialize lsm_context structure
      net: corrections for security_secid_to_secctx returns

Christian Göttsche (2):
      lsm: constify function parameters
      lsm: rename variable to avoid shadowing

Colin Ian King (1):
      security: remove redundant assignment to return variable

Leo Stone (1):
      safesetid: check size of policy writes

Mickaël Salaün (1):
      lsm: Only build lsm_audit.c if CONFIG_SECURITY and CONFIG_AUDIT
         are set

Tanya Agarwal (1):
      lockdown: initialize local array before use to quiet static
         analysis

 drivers/android/binder.c                             |   25 +---
 fs/ceph/super.h                                      |    3 
 fs/ceph/xattr.c                                      |   12 -
 fs/fuse/dir.c                                        |   35 ++---
 fs/nfs/nfs4proc.c                                    |   22 ++-
 fs/nfsd/nfs4xdr.c                                    |   22 +--
 include/linux/lsm_audit.h                            |   14 ++
 include/linux/lsm_hook_defs.h                        |   13 --
 include/linux/security.h                             |   37 +++---
 include/net/scm.h                                    |   12 -
 kernel/audit.c                                       |   33 ++---
 kernel/auditsc.c                                     |   27 +---
 net/ipv4/ip_sockglue.c                               |   12 -
 net/netfilter/nf_conntrack_netlink.c                 |   20 +--
 net/netfilter/nf_conntrack_standalone.c              |   11 -
 net/netfilter/nfnetlink_queue.c                      |   26 ++--
 net/netlabel/netlabel_unlabeled.c                    |   44 ++-----
 net/netlabel/netlabel_user.c                         |   10 -
 rust/helpers/security.c                              |    8 -
 rust/kernel/security.rs                              |   38 ++----
 security/Kconfig                                     |    5 
 security/Makefile                                    |    2 
 security/apparmor/include/secid.h                    |    7 -
 security/apparmor/secid.c                            |   34 +++--
 security/lockdown/lockdown.c                         |    2 
 security/lsm_audit.c                                 |    8 -
 security/safesetid/securityfs.c                      |    3 
 security/security.c                                  |   67 ++++-------
 security/selinux/hooks.c                             |   49 +++++---
 security/smack/smack_lsm.c                           |   52 ++++----
 tools/testing/selftests/lsm/lsm_set_self_attr_test.c |    7 -
 31 files changed, 351 insertions(+), 309 deletions(-)

--
paul-moore.com

Comments

pr-tracker-bot@kernel.org Jan. 22, 2025, 4:15 a.m. UTC | #1 
The pull request you sent on Tue, 21 Jan 2025 18:40:10 -0500:

> https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git tags/lsm-pr-20250121

has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/f96a974170b749e3a56844e25b31d46a7233b6f6

Thank you!