tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'selinux-pr-20250926' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull selinux updates from Paul Moore:

- Support per-file labeling for functionfs

Both genfscon and user defined labeling methods are supported. This
should help users who want to provide separation between the control
endpoint file, "ep0", and other endpoints.

- Remove our use of get_zeroed_page() in sel_read_bool()

Update sel_read_bool() to use a four byte stack buffer instead of a
memory page fetched via get_zeroed_page(), and fix a memory in the
process.

Needless to say we should have done this a long time ago, but it was
in a very old chunk of code that "just worked" and I don't think
anyone had taken a real look at it in many years.

- Better use of the netdev skb/sock helper functions

Convert a sk_to_full_sk(skb->sk) into a skb_to_full_sk(skb) call.

- Remove some old, dead, and/or redundant code

* tag 'selinux-pr-20250926' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
selinux: enable per-file labeling for functionfs
selinux: fix sel_read_bool() allocation and error handling
selinux: Remove redundant __GFP_NOWARN
selinux: use a consistent method to get full socket from skb
selinux: Remove unused function selinux_policycap_netif_wildcard()

Linus Torvalds 57bc6838 56a0810d

+22 -25
+6 -7
security/selinux/avc.c
··· 292 292 struct avc_xperms_decision_node *xpd_node; 293 293 struct extended_perms_decision *xpd; 294 294 295 - xpd_node = kmem_cache_zalloc(avc_xperms_decision_cachep, 296 - GFP_NOWAIT | __GFP_NOWARN); 295 + xpd_node = kmem_cache_zalloc(avc_xperms_decision_cachep, GFP_NOWAIT); 297 296 if (!xpd_node) 298 297 return NULL; 299 298 300 299 xpd = &xpd_node->xpd; 301 300 if (which & XPERMS_ALLOWED) { 302 301 xpd->allowed = kmem_cache_zalloc(avc_xperms_data_cachep, 303 - GFP_NOWAIT | __GFP_NOWARN); 302 + GFP_NOWAIT); 304 303 if (!xpd->allowed) 305 304 goto error; 306 305 } 307 306 if (which & XPERMS_AUDITALLOW) { 308 307 xpd->auditallow = kmem_cache_zalloc(avc_xperms_data_cachep, 309 - GFP_NOWAIT | __GFP_NOWARN); 308 + GFP_NOWAIT); 310 309 if (!xpd->auditallow) 311 310 goto error; 312 311 } 313 312 if (which & XPERMS_DONTAUDIT) { 314 313 xpd->dontaudit = kmem_cache_zalloc(avc_xperms_data_cachep, 315 - GFP_NOWAIT | __GFP_NOWARN); 314 + GFP_NOWAIT); 316 315 if (!xpd->dontaudit) 317 316 goto error; 318 317 } ··· 339 340 { 340 341 struct avc_xperms_node *xp_node; 341 342 342 - xp_node = kmem_cache_zalloc(avc_xperms_cachep, GFP_NOWAIT | __GFP_NOWARN); 343 + xp_node = kmem_cache_zalloc(avc_xperms_cachep, GFP_NOWAIT); 343 344 if (!xp_node) 344 345 return xp_node; 345 346 INIT_LIST_HEAD(&xp_node->xpd_head); ··· 494 495 { 495 496 struct avc_node *node; 496 497 497 - node = kmem_cache_zalloc(avc_node_cachep, GFP_NOWAIT | __GFP_NOWARN); 498 + node = kmem_cache_zalloc(avc_node_cachep, GFP_NOWAIT); 498 499 if (!node) 499 500 goto out; 500 501
+7 -3
security/selinux/hooks.c
··· 476 476 !strcmp(sb->s_type->name, "rootfs") || 477 477 (selinux_policycap_cgroupseclabel() && 478 478 (!strcmp(sb->s_type->name, "cgroup") || 479 - !strcmp(sb->s_type->name, "cgroup2"))); 479 + !strcmp(sb->s_type->name, "cgroup2"))) || 480 + (selinux_policycap_functionfs_seclabel() && 481 + !strcmp(sb->s_type->name, "functionfs")); 480 482 } 481 483 482 484 static int selinux_is_sblabel_mnt(struct super_block *sb) ··· 743 741 !strcmp(sb->s_type->name, "binder") || 744 742 !strcmp(sb->s_type->name, "bpf") || 745 743 !strcmp(sb->s_type->name, "pstore") || 746 - !strcmp(sb->s_type->name, "securityfs")) 744 + !strcmp(sb->s_type->name, "securityfs") || 745 + (selinux_policycap_functionfs_seclabel() && 746 + !strcmp(sb->s_type->name, "functionfs"))) 747 747 sbsec->flags |= SE_SBGENFS; 748 748 749 749 if (!strcmp(sb->s_type->name, "sysfs") || ··· 5889 5885 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5890 5886 * because we want to make sure we apply the necessary labeling 5891 5887 * before IPsec is applied so we can leverage AH protection */ 5892 - sk = sk_to_full_sk(skb->sk); 5888 + sk = skb_to_full_sk(skb); 5893 5889 if (sk) { 5894 5890 struct sk_security_struct *sksec; 5895 5891
+1
security/selinux/include/policycap.h
··· 17 17 POLICYDB_CAP_NETLINK_XPERM, 18 18 POLICYDB_CAP_NETIF_WILDCARD, 19 19 POLICYDB_CAP_GENFS_SECLABEL_WILDCARD, 20 + POLICYDB_CAP_FUNCTIONFS_SECLABEL, 20 21 __POLICYDB_CAP_MAX 21 22 }; 22 23 #define POLICYDB_CAP_MAX (__POLICYDB_CAP_MAX - 1)
+1
security/selinux/include/policycap_names.h
··· 20 20 "netlink_xperm", 21 21 "netif_wildcard", 22 22 "genfs_seclabel_wildcard", 23 + "functionfs_seclabel", 23 24 }; 24 25 /* clang-format on */ 25 26
+2 -2
security/selinux/include/security.h
··· 203 203 selinux_state.policycap[POLICYDB_CAP_NETLINK_XPERM]); 204 204 } 205 205 206 - static inline bool selinux_policycap_netif_wildcard(void) 206 + static inline bool selinux_policycap_functionfs_seclabel(void) 207 207 { 208 208 return READ_ONCE( 209 - selinux_state.policycap[POLICYDB_CAP_NETIF_WILDCARD]); 209 + selinux_state.policycap[POLICYDB_CAP_FUNCTIONFS_SECLABEL]); 210 210 } 211 211 212 212 struct selinux_policy_convert_data;
+5 -13
security/selinux/selinuxfs.c
··· 1203 1203 size_t count, loff_t *ppos) 1204 1204 { 1205 1205 struct selinux_fs_info *fsi = file_inode(filep)->i_sb->s_fs_info; 1206 - char *page = NULL; 1206 + char buffer[4]; 1207 1207 ssize_t length; 1208 1208 ssize_t ret; 1209 1209 int cur_enforcing; ··· 1217 1217 fsi->bool_pending_names[index])) 1218 1218 goto out_unlock; 1219 1219 1220 - ret = -ENOMEM; 1221 - page = (char *)get_zeroed_page(GFP_KERNEL); 1222 - if (!page) 1223 - goto out_unlock; 1224 - 1225 1220 cur_enforcing = security_get_bool_value(index); 1226 1221 if (cur_enforcing < 0) { 1227 1222 ret = cur_enforcing; 1228 1223 goto out_unlock; 1229 1224 } 1230 - length = scnprintf(page, PAGE_SIZE, "%d %d", cur_enforcing, 1231 - fsi->bool_pending_values[index]); 1225 + length = scnprintf(buffer, sizeof(buffer), "%d %d", !!cur_enforcing, 1226 + !!fsi->bool_pending_values[index]); 1232 1227 mutex_unlock(&selinux_state.policy_mutex); 1233 - ret = simple_read_from_buffer(buf, count, ppos, page, length); 1234 - out_free: 1235 - free_page((unsigned long)page); 1236 - return ret; 1228 + return simple_read_from_buffer(buf, count, ppos, buffer, length); 1237 1229 1238 1230 out_unlock: 1239 1231 mutex_unlock(&selinux_state.policy_mutex); 1240 - goto out_free; 1232 + return ret; 1241 1233 } 1242 1234 1243 1235 static ssize_t sel_write_bool(struct file *filep, const char __user *buf,