From patchwork Tue Jun 2 01:06:48 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 11582805 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5371814F6 for ; Tue, 2 Jun 2020 01:07:01 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2FD1E20734 for ; Tue, 2 Jun 2020 01:07:01 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="g3P79kjv" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725804AbgFBBHB (ORCPT ); Mon, 1 Jun 2020 21:07:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47728 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725802AbgFBBHA (ORCPT ); Mon, 1 Jun 2020 21:07:00 -0400 Received: from mail-ej1-x641.google.com (mail-ej1-x641.google.com [IPv6:2a00:1450:4864:20::641]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 42ADFC05BD43 for ; Mon, 1 Jun 2020 18:07:00 -0700 (PDT) Received: by mail-ej1-x641.google.com with SMTP id a2so11018566ejb.10 for ; Mon, 01 Jun 2020 18:07:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to:cc; bh=bacYd6Xj63f6+mhdcMdTVJ2YDOuetS8awQOMSRyd60k=; b=g3P79kjvPSikCAVrOvBjMTJ1MhKHE5VPpEN91wi3kMamR76EyRhCW9QvW8uo4vgVeY 4T/e+gLBxH1XD09jzNROz6FxUoHmrP7v9gVAhUpKD/OEEnkjrnz8yAKbp3vQGEGf8IOr r86eaWMmSva9QxMhxNWI7HqZHNI9gy9hAspDJ3MWp8Tj1XQF3/Vdffbuw8+0MOkTBCN+ qw0F9UkTrdMj4I1Ao7kICX4j8WOagpY+oE0Y6vhkNXaAo9cahwHcCiwoYPrTxychDbB7 aX4VoZrX1I1exEHTXOqkJTuflg7HRJS3lvG7ZwRA6PAAWPkD1BD99DE45/LjxwR012CP t/Ng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=bacYd6Xj63f6+mhdcMdTVJ2YDOuetS8awQOMSRyd60k=; b=sdXbsWt1YYEc1+2IK2hm+IFx9NnoUmeBNuMIkkn05cIMITatkkitJog87G7CluY7gp rfZRa39p3GfX42k9rqFcOhcbkGemrWm9uwp9ulZjqliYeMe7nXDT1K+zAO3RJ2q9HW9u yY2llecuY8caLsBO7uF5+ueCUGbH+YUA0tRHypOzhR8YPZ1aan6FbeJ8rPGGejyvPZ0A My+cJfvfqLpI3MuQfX0/L2GjpRG/+O3Ik79AJyzTc6xPP6R7RktH1dfMIpMatI/uZqv9 AJsXl11dxoIbeFTpfmE8UEU+HGaebUTQG2O702+veFwHvZud9zpu1HT5xEtl4DGAmN9J ixTw== X-Gm-Message-State: AOAM531Y/5lxZQquvN0zFFjaGhWA3myk3472P0SXGcrFN63PUD++QNr1 /sICnmAC2PnQ0jJkNLFHCaI0uU+4k5ktc8dAvjbKb4uaoA== X-Google-Smtp-Source: ABdhPJyKsQV/yosAgyJ5ku5AJYZrdaUYTfXNwFDdpTJsLDr6Wwl2VzwIzIBZoKOV8M4cuLJdwpCobc4TVnk8A/FK5xk= X-Received: by 2002:a17:906:7395:: with SMTP id f21mr10789073ejl.178.1591060018671; Mon, 01 Jun 2020 18:06:58 -0700 (PDT) MIME-Version: 1.0 From: Paul Moore Date: Mon, 1 Jun 2020 21:06:48 -0400 Message-ID: Subject: [GIT PULL] SELinux patches for v5.8 To: Linus Torvalds Cc: selinux@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Hi Linus, Here are the SELinux patches for v5.8. All the patches pass our test suite and as of about 15 minutes ago they apply cleanly to the top of your tree. Please merge into v5.8. The highlights: - A number of improvements to various SELinux internal data structures to help improve performance. We move the role transitions into a hash table. In the content structure we shift from hashing the content string (aka SELinux label) to the structure itself, when it is valid. This last change not only offers a speedup, but it helps us simplify the code some as well. - Add a new SELinux policy version which allows for a more space efficient way of storing the filename transitions in the binary policy. Given the default Fedora SELinux policy with the unconfined module enabled, this change drops the policy size from ~7.6MB to ~3.3MB. The kernel policy load time dropped as well. - Some fixes to the error handling code in the policy parser to properly return error codes when things go wrong. Thanks, -Paul --- The following changes since commit 8f3d9f354286745c751374f5f1fcafee6b3f3136: Linux 5.7-rc1 (2020-04-12 12:35:55 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git tags/selinux-pr-20200601 for you to fetch changes up to fe5a90b8c14914397a3bb0c214d142103c1ba3bf: selinux: netlabel: Remove unused inline function (2020-05-12 20:16:33 -0400) ---------------------------------------------------------------- selinux/stable-5.8 PR 20200601 ---------------------------------------------------------------- Ondrej Mosnacek (9): selinux: drop unnecessary smp_load_acquire() call selinux: store role transitions in a hash table selinux: hash context structure directly selinux: move context hashing under sidtab selinux: implement new format of filename transitions selinux: don't produce incorrect filename_trans_count selinux: simplify range_write() selinux: fix return value on error in policydb_read() selinux: do not allocate hashtabs dynamically Wei Yongjun (1): selinux: fix error return code in policydb_read() YueHaibing (1): selinux: netlabel: Remove unused inline function Zou Wei (1): selinux: fix warning Comparison to bool security/selinux/Makefile | 2 +- security/selinux/include/netlabel.h | 6 - security/selinux/include/security.h | 3 +- security/selinux/ss/context.c | 32 +++ security/selinux/ss/context.h | 11 +- security/selinux/ss/ebitmap.c | 14 ++ security/selinux/ss/ebitmap.h | 1 + security/selinux/ss/hashtab.c | 51 ++-- security/selinux/ss/hashtab.h | 13 +- security/selinux/ss/mls.c | 16 +- security/selinux/ss/mls.h | 11 + security/selinux/ss/policydb.c | 451 +++++++++++++++++++++++--------- security/selinux/ss/policydb.h | 15 +- security/selinux/ss/services.c | 153 +++++------- security/selinux/ss/services.h | 3 - security/selinux/ss/sidtab.c | 35 +-- security/selinux/ss/sidtab.h | 1 + security/selinux/ss/symtab.c | 5 +- security/selinux/ss/symtab.h | 2 +- 19 files changed, 499 insertions(+), 326 deletions(-) create mode 100644 security/selinux/ss/context.c