Hi Linus, We've got twenty SELinux patches for the v5.7 merge window, the highlights are below. Beyond the highlights there a couple of things I want to call out in this pull request: a merge conflict, and a maintainer screw-up. The merge conflict is in security/selinux/hooks.c and is against a binder fs name fix we sent during the v5.6-rcX cycle; the fixup is trivial but if you need me to fix it, let me know. The maintainer screw-up deals with the second patch from the top of the pull request, the NFS fix. The screw-up isn't the fact that this is a NFS patch, we talked to the NFS guys and they are okay with it. The issue is that the commit date is today - during the merge window - which doesn't reflect the testing the patch received. The reality is that I merged this patch back on March 12th, and it has been part of our testing ever since, but when putting this pull request together I noticed that I had dropped the subject line from the patch when I was merging it. Not wanting a malformed commit, I popped the top two patches from the stack and restored the missing subject line; this had the unfortunate side effect of making it look like the two top patches were just merged today - my apologies. Regardless, here are the highlights: - Deprecate setting /sys/fs/selinux/checkreqprot to 1. This flag was originally created to deal with legacy userspace and the READ_IMPLIES_EXEC personality flag. We changed the default from 1 to 0 back in Linux v4.4 and now we are taking the next step of deprecating it, at some point in the future we will take the final step of rejecting 1. - Allow kernfs symlinks to inherit the SELinux label of the parent directory. In order to preserve backwards compatibility this is protected by the genfs_seclabel_symlinks SELinux policy capability. - Optimize how we store filename transitions in the kernel, resulting in some significant improvements to policy load times. - Do a better job calculating our internal hash table sizes which resulted in additional policy load improvements and likely general SELinux performance improvements as well. - Remove the unused initial SIDs (labels) and improve how we handle initial SIDs. - Enable per-file labeling for the bpf filesystem. - Ensure that we properly label NFS v4.2 filesystems to avoid a temporary unlabeled condition. - Add some missing XFS quota command types to the SELinux quota access controls. - Fix a problem where we were not updating the seq_file position index correctly in selinuxfs. - We consolidate some duplicated code into helper functions. - A number of list to array conversions. - Update Stephen Smalley's email address in MAINTAINERS. Thanks, -Paul -- The following changes since commit bb6d3fb354c5ee8d6bde2d576eb7220ea09862b9: Linux 5.6-rc1 (2020-02-09 16:08:48 -0800) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git tags/selinux-pr-20200330 for you to fetch changes up to c753924b628551564b6eea3c9896e4a95aa25ed9: selinux: clean up indentation issue with assignment statement (2020-03-30 19:57:07 -0400) ---------------------------------------------------------------- selinux/stable-5.7 PR 20200330 ---------------------------------------------------------------- Christian Göttsche (1): selinux: allow kernfs symlinks to inherit parent directory context Colin Ian King (1): selinux: clean up indentation issue with assignment statement Connor O'Brien (1): security: selinux: allow per-file labeling for bpffs Ondrej Mosnacek (10): selinux: move status variables out of selinux_ss selinux: simplify evaluate_cond_node() selinux: convert cond_list to array selinux: convert cond_av_list to array selinux: convert cond_expr to array selinux: generalize evaluate_cond_node() selinux: factor out loop body from filename_trans_read() selinux: optimize storage of filename transitions selinux: reduce the use of hard-coded hash sizes selinux: clean up error path in policydb_init() Paul Moore (1): selinux: avtab_init() and cond_policydb_init() return void Richard Haines (1): selinux: Add xfs quota command types Scott Mayhew (1): NFS: Ensure security label is set for root inode Stephen Smalley (3): Documentation,selinux: deprecate setting checkreqprot to 1 selinux: remove unused initial SIDs and improve handling MAINTAINERS: Update my email address Vasily Averin (1): selinux: sel_avc_get_stat_idx should increase position index .../ABI/obsolete/sysfs-selinux-checkreqprot | 23 ++ Documentation/admin-guide/kernel-parameters.txt | 1 + MAINTAINERS | 3 +- fs/nfs/getroot.c | 39 ++- fs/nfs/nfs4proc.c | 12 +- fs/nfs/super.c | 25 -- include/linux/nfs_xdr.h | 1 + scripts/selinux/genheaders/genheaders.c | 11 +- security/selinux/Kconfig | 3 + security/selinux/Makefile | 4 +- security/selinux/hooks.c | 18 +- security/selinux/include/conditional.h | 8 +- security/selinux/include/initial_sid_to_string.h | 57 ++-- security/selinux/include/security.h | 12 + security/selinux/selinuxfs.c | 19 +- security/selinux/ss/avtab.c | 3 +- security/selinux/ss/avtab.h | 2 +- security/selinux/ss/conditional.c | 259 +++++------- security/selinux/ss/conditional.h | 29 +- security/selinux/ss/hashtab.c | 28 +- security/selinux/ss/hashtab.h | 2 +- security/selinux/ss/policydb.c | 326 ++++++++--------- security/selinux/ss/policydb.h | 13 +- security/selinux/ss/services.c | 79 +++-- security/selinux/ss/services.h | 2 - security/selinux/{ss => }/status.c | 32 +- 26 files changed, 521 insertions(+), 490 deletions(-) create mode 100644 Documentation/ABI/obsolete/sysfs-selinux-checkreqprot rename security/selinux/{ss => }/status.c (81%) -- paul moore www.paul-moore.com