tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'selinux-pr-20250725' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull selinux updates from Paul Moore:

- Introduce the concept of a SELinux "neveraudit" type which prevents
all auditing of the given type/domain.

Taken by itself, the benefit of marking a SELinux domain with the
"neveraudit" tag is likely not very interesting, especially given the
significant overlap with the "dontaudit" tag.

However, given that the "neveraudit" tag applies to *all* auditing of
the tagged domain, we can do some fairly interesting optimizations
when a SELinux domain is marked as both "permissive" and "dontaudit"
(think of the unconfined_t domain).

While this pull request includes optimized inode permission and
getattr hooks, these optimizations require SELinux policy changes,
therefore the improvements may not be visible on standard downstream
Linux distos for a period of time.

- Continue the deprecation process of /sys/fs/selinux/user.

After removing the associated userspace code in 2020, we marked the
/sys/fs/selinux/user interface as deprecated in Linux v6.13 with
pr_warn() and the usual documention update.

This adds a five second sleep after the pr_warn(), following a
previous deprecation process pattern that has worked well for us in
the past in helping identify any existing users that we haven't yet
reached.

- Add a __GFP_NOWARN flag to our initial hash table allocation.

Fuzzers such a syzbot often attempt abnormally large SELinux policy
loads, which the SELinux code gracefully handles by checking for
allocation failures, but not before the allocator emits a warning
which causes the automated fuzzing to flag this as an error and
report it to the list. While we want to continue to support the work
done by the fuzzing teams, we want to focus on proper issues and not
an error case that is already handled safely. Add a NOWARN flag to
quiet the allocator and prevent syzbot from tripping on this again.

- Remove some unnecessary selinuxfs cleanup code, courtesy of Al.

- Update the SELinux in-kernel documentation with pointers to
additional information.

* tag 'selinux-pr-20250725' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
selinux: don't bother with selinuxfs_info_free() on failures
selinux: add __GFP_NOWARN to hashtab_init() allocations
selinux: optimize selinux_inode_getattr/permission() based on neveraudit|permissive
selinux: introduce neveraudit types
documentation: add links to SELinux resources
selinux: add a 5 second sleep to /sys/fs/selinux/user

Linus Torvalds dffb641b 30b9dcae

+83 -5
+11
Documentation/admin-guide/LSM/SELinux.rst
··· 2 2 SELinux 3 3 ======= 4 4 5 + Information about the SELinux kernel subsystem can be found at the 6 + following links: 7 + 8 + https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/tree/README.md 9 + 10 + https://github.com/selinuxproject/selinux-kernel/wiki 11 + 12 + Information about the SELinux userspace can be found at: 13 + 14 + https://github.com/SELinuxProject/selinux/wiki 15 + 5 16 If you want to use SELinux, chances are you will want 6 17 to use the distro-provided policies, or install the 7 18 latest reference policy release from
+13 -1
security/selinux/hooks.c
··· 3181 3181 tsec->avdcache.dir[spot].audited = audited; 3182 3182 tsec->avdcache.dir[spot].allowed = avd->allowed; 3183 3183 tsec->avdcache.dir[spot].permissive = avd->flags & AVD_FLAGS_PERMISSIVE; 3184 + tsec->avdcache.permissive_neveraudit = 3185 + (avd->flags == (AVD_FLAGS_PERMISSIVE|AVD_FLAGS_NEVERAUDIT)); 3184 3186 } 3185 3187 3186 3188 /** ··· 3209 3207 if (!mask) 3210 3208 return 0; 3211 3209 3210 + tsec = selinux_cred(current_cred()); 3211 + if (task_avdcache_permnoaudit(tsec)) 3212 + return 0; 3213 + 3212 3214 isec = inode_security_rcu(inode, requested & MAY_NOT_BLOCK); 3213 3215 if (IS_ERR(isec)) 3214 3216 return PTR_ERR(isec); 3215 - tsec = selinux_cred(current_cred()); 3216 3217 perms = file_mask_to_av(inode->i_mode, mask); 3217 3218 3218 3219 rc = task_avdcache_search(tsec, isec, &avdc); ··· 3279 3274 3280 3275 static int selinux_inode_getattr(const struct path *path) 3281 3276 { 3277 + struct task_security_struct *tsec; 3278 + 3279 + tsec = selinux_cred(current_cred()); 3280 + 3281 + if (task_avdcache_permnoaudit(tsec)) 3282 + return 0; 3283 + 3282 3284 return path_has_perm(current_cred(), path, FILE__GETATTR); 3283 3285 } 3284 3286
+4
security/selinux/include/avc.h
··· 65 65 int result, u32 auditdeny, u32 *deniedp) 66 66 { 67 67 u32 denied, audited; 68 + 69 + if (avd->flags & AVD_FLAGS_NEVERAUDIT) 70 + return 0; 71 + 68 72 denied = requested & ~avd->allowed; 69 73 if (unlikely(denied)) { 70 74 audited = denied & avd->auditdeny;
+8
security/selinux/include/objsec.h
··· 49 49 u32 seqno; /* AVC sequence number */ 50 50 unsigned int dir_spot; /* dir cache index to check first */ 51 51 struct avdc_entry dir[TSEC_AVDC_DIR_SIZE]; /* dir entries */ 52 + bool permissive_neveraudit; /* permissive and neveraudit */ 52 53 } avdcache; 53 54 } __randomize_layout; 55 + 56 + static inline bool task_avdcache_permnoaudit(struct task_security_struct *tsec) 57 + { 58 + return (tsec->avdcache.permissive_neveraudit && 59 + tsec->sid == tsec->avdcache.sid && 60 + tsec->avdcache.seqno == avc_policy_seqno()); 61 + } 54 62 55 63 enum label_initialized { 56 64 LABEL_INVALID, /* invalid or not initialized */
+3 -1
security/selinux/include/security.h
··· 47 47 #define POLICYDB_VERSION_GLBLUB 32 48 48 #define POLICYDB_VERSION_COMP_FTRANS 33 /* compressed filename transitions */ 49 49 #define POLICYDB_VERSION_COND_XPERMS 34 /* extended permissions in conditional policies */ 50 + #define POLICYDB_VERSION_NEVERAUDIT 35 /* neveraudit types */ 50 51 51 52 /* Range of policy versions we understand*/ 52 53 #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE 53 - #define POLICYDB_VERSION_MAX POLICYDB_VERSION_COND_XPERMS 54 + #define POLICYDB_VERSION_MAX POLICYDB_VERSION_NEVERAUDIT 54 55 55 56 /* Mask for just the mount related flags */ 56 57 #define SE_MNTMASK 0x0f ··· 261 260 262 261 /* definitions of av_decision.flags */ 263 262 #define AVD_FLAGS_PERMISSIVE 0x0001 263 + #define AVD_FLAGS_NEVERAUDIT 0x0002 264 264 265 265 void security_compute_av(u32 ssid, u32 tsid, u16 tclass, 266 266 struct av_decision *avd,
+1 -2
security/selinux/selinuxfs.c
··· 1072 1072 pr_warn_ratelimited("SELinux: %s (%d) wrote to /sys/fs/selinux/user!" 1073 1073 " This will not be supported in the future; please update your" 1074 1074 " userspace.\n", current->comm, current->pid); 1075 + ssleep(5); 1075 1076 1076 1077 length = avc_has_perm(current_sid(), SECINITSID_SECURITY, 1077 1078 SECCLASS_SECURITY, SECURITY__COMPUTE_USER, ··· 2097 2096 err: 2098 2097 pr_err("SELinux: %s: failed while creating inodes\n", 2099 2098 __func__); 2100 - 2101 - selinux_fs_info_free(sb); 2102 2099 2103 2100 return ret; 2104 2101 }
+2 -1
security/selinux/ss/hashtab.c
··· 40 40 h->htable = NULL; 41 41 42 42 if (size) { 43 - h->htable = kcalloc(size, sizeof(*h->htable), GFP_KERNEL); 43 + h->htable = kcalloc(size, sizeof(*h->htable), 44 + GFP_KERNEL | __GFP_NOWARN); 44 45 if (!h->htable) 45 46 return -ENOMEM; 46 47 h->size = size;
+19
security/selinux/ss/policydb.c
··· 160 160 .sym_num = SYM_NUM, 161 161 .ocon_num = OCON_NUM, 162 162 }, 163 + { 164 + .version = POLICYDB_VERSION_NEVERAUDIT, 165 + .sym_num = SYM_NUM, 166 + .ocon_num = OCON_NUM, 167 + }, 163 168 }; 164 169 165 170 static const struct policydb_compat_info * ··· 536 531 ebitmap_init(&p->filename_trans_ttypes); 537 532 ebitmap_init(&p->policycaps); 538 533 ebitmap_init(&p->permissive_map); 534 + ebitmap_init(&p->neveraudit_map); 539 535 } 540 536 541 537 /* ··· 858 852 ebitmap_destroy(&p->filename_trans_ttypes); 859 853 ebitmap_destroy(&p->policycaps); 860 854 ebitmap_destroy(&p->permissive_map); 855 + ebitmap_destroy(&p->neveraudit_map); 861 856 } 862 857 863 858 /* ··· 2545 2538 goto bad; 2546 2539 } 2547 2540 2541 + if (p->policyvers >= POLICYDB_VERSION_NEVERAUDIT) { 2542 + rc = ebitmap_read(&p->neveraudit_map, fp); 2543 + if (rc) 2544 + goto bad; 2545 + } 2546 + 2548 2547 rc = -EINVAL; 2549 2548 info = policydb_lookup_compat(p->policyvers); 2550 2549 if (!info) { ··· 3732 3719 3733 3720 if (p->policyvers >= POLICYDB_VERSION_PERMISSIVE) { 3734 3721 rc = ebitmap_write(&p->permissive_map, fp); 3722 + if (rc) 3723 + return rc; 3724 + } 3725 + 3726 + if (p->policyvers >= POLICYDB_VERSION_NEVERAUDIT) { 3727 + rc = ebitmap_write(&p->neveraudit_map, fp); 3735 3728 if (rc) 3736 3729 return rc; 3737 3730 }
+2
security/selinux/ss/policydb.h
··· 300 300 301 301 struct ebitmap permissive_map; 302 302 303 + struct ebitmap neveraudit_map; 304 + 303 305 /* length of this policy when it was loaded */ 304 306 size_t len; 305 307
+20
security/selinux/ss/services.c
··· 1153 1153 if (ebitmap_get_bit(&policydb->permissive_map, scontext->type)) 1154 1154 avd->flags |= AVD_FLAGS_PERMISSIVE; 1155 1155 1156 + /* neveraudit domain? */ 1157 + if (ebitmap_get_bit(&policydb->neveraudit_map, scontext->type)) 1158 + avd->flags |= AVD_FLAGS_NEVERAUDIT; 1159 + 1160 + /* both permissive and neveraudit => allow */ 1161 + if (avd->flags == (AVD_FLAGS_PERMISSIVE|AVD_FLAGS_NEVERAUDIT)) 1162 + goto allow; 1163 + 1156 1164 tcontext = sidtab_search(sidtab, tsid); 1157 1165 if (!tcontext) { 1158 1166 pr_err("SELinux: %s: unrecognized SID %d\n", ··· 1180 1172 policydb->allow_unknown); 1181 1173 out: 1182 1174 rcu_read_unlock(); 1175 + if (avd->flags & AVD_FLAGS_NEVERAUDIT) 1176 + avd->auditallow = avd->auditdeny = 0; 1183 1177 return; 1184 1178 allow: 1185 1179 avd->allowed = 0xffffffff; ··· 1218 1208 if (ebitmap_get_bit(&policydb->permissive_map, scontext->type)) 1219 1209 avd->flags |= AVD_FLAGS_PERMISSIVE; 1220 1210 1211 + /* neveraudit domain? */ 1212 + if (ebitmap_get_bit(&policydb->neveraudit_map, scontext->type)) 1213 + avd->flags |= AVD_FLAGS_NEVERAUDIT; 1214 + 1215 + /* both permissive and neveraudit => allow */ 1216 + if (avd->flags == (AVD_FLAGS_PERMISSIVE|AVD_FLAGS_NEVERAUDIT)) 1217 + goto allow; 1218 + 1221 1219 tcontext = sidtab_search(sidtab, tsid); 1222 1220 if (!tcontext) { 1223 1221 pr_err("SELinux: %s: unrecognized SID %d\n", ··· 1243 1225 NULL); 1244 1226 out: 1245 1227 rcu_read_unlock(); 1228 + if (avd->flags & AVD_FLAGS_NEVERAUDIT) 1229 + avd->auditallow = avd->auditdeny = 0; 1246 1230 return; 1247 1231 allow: 1248 1232 avd->allowed = 0xffffffff;