Linus, We've got a number of SELinux patches queued up for v5.18, the highlights are below: - Fixup the security_fs_context_parse_param() LSM hook so it executes all of the LSM hook implementations unless a serious error occurs. We also correct the SELinux hook implementation so that it returns zero on success. - In addition to a few SELinux mount option parsing fixes, we simplified the parsing by moving it earlier in the process. The logic was that it was unlikely an admin/user would use the new mount API and not have the policy loaded before passing the SELinux options. - Properly fixed the LSM/SELinux/SCTP hooks with the addition of the security_sctp_assoc_established() hook. This work was done in conjunction with the netdev folks and should complete the move of the SCTP labeling from the endpoints to the associations. - Fixed a variety of sparse warnings caused by changes in the "__rcu" markings of some core kernel structures. - Ensure we access the superblock's LSM security blob using the stacking-safe accessors. - Added the ability for the kernel to always allow FIOCLEX and FIONCLEX if the "ioctl_skip_cloexec" policy capability is specified. - Various constifications improvements, type casting improvements, additional return value checks, and dead code/parameter removal. - Documentation fixes. Please merge. -Paul -- The following changes since commit e783362eb54cd99b2cac8b3a9aeac942e6f6ac07: Linux 5.17-rc1 (2022-01-23 10:12:53 +0200) are available in the Git repository at: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git tags/selinux-pr-20220321 for you to fetch changes up to cdbec3ede0b8cb318c36f5cc945b9360329cbd25: selinux: shorten the policy capability enum names (2022-03-02 11:37:03 -0500) ---------------------------------------------------------------- selinux/stable-5.18 PR 20220321 ---------------------------------------------------------------- Casey Schaufler (1): LSM: general protection fault in legacy_parse_param Christian Göttsche (11): selinux: check return value of sel_make_avc_files selinux: declare path parameters of _genfs_sid const selinux: declare name parameter of hash_eval const selinux: enclose macro arguments in parenthesis selinux: drop cast to same type selinux: drop unused parameter of avtab_insert_node selinux: do not discard const qualifier in cast selinux: simplify cred_init_security selinux: drop unused macro selinux: drop return statement at end of void functions selinux: use correct type for context length GONG, Ruiqi (1): selinux: access superblock_security_struct in LSM blob way Ondrej Mosnacek (3): selinux: parse contexts for mount options early security: add sctp_assoc_established hook security: implement sctp_assoc_established hook in selinux Paul Moore (3): selinux: fix a type cast problem in cred_init_security() selinux: various sparse fixes selinux: shorten the policy capability enum names Richard Haines (1): selinux: allow FIOCLEX and FIONCLEX with policy capability Scott Mayhew (2): selinux: Fix selinux_sb_mnt_opts_compat() selinux: try to use preparsed sid before calling parse_sid() Wan Jiabing (1): docs: fix 'make htmldocs' warning in SCTP.rst Documentation/security/SCTP.rst | 26 ++- include/linux/lsm_hook_defs.h | 2 + include/linux/lsm_hooks.h | 5 + include/linux/security.h | 8 + net/sctp/sm_statefuns.c | 8 +- security/security.c | 24 ++- security/selinux/hooks.c | 299 ++++++++++++++--------------- security/selinux/ibpkey.c | 2 +- security/selinux/ima.c | 4 +- security/selinux/include/policycap.h | 21 +- security/selinux/include/policycap_names.h | 5 +- security/selinux/include/security.h | 31 +-- security/selinux/netnode.c | 9 +- security/selinux/netport.c | 2 +- security/selinux/selinuxfs.c | 4 +- security/selinux/ss/avtab.c | 6 +- security/selinux/ss/conditional.c | 2 - security/selinux/ss/ebitmap.c | 1 - security/selinux/ss/ebitmap.h | 6 +- security/selinux/ss/mls.c | 1 - security/selinux/ss/policydb.c | 4 +- security/selinux/ss/services.c | 10 +- security/selinux/ss/sidtab.c | 4 +- security/selinux/xfrm.c | 2 +- 24 files changed, 255 insertions(+), 231 deletions(-) -- paul-moore.com
