The following changes since commit 445514206988935e5ef0e80588d7481aa3cd3b7b: Linux 4.9.322 (2022-07-07 17:30:12 +0200) are available in the Git repository at: https://github.com/Flamefire/android_kernel_sony_msm8998.git lsm_hooks_backport_4.9 for you to fetch changes up to 911aa0e49633be52c7a2de8c99de87b6bf3a7604: LSM: Initialize security_hook_heads upon registration. (2022-07-09 12:51:42 +0200) All commits are cherry-picks/backports from mainline. The intend was to apply the last commit ("LSM: Initialize security_hook_heads upon registration.") with as few changes as possible. This revealed added/removed/changed hooks and related changes which seem valuable to have in 4.9 and via the CIP in 4.4 SLTS. For additional Context: I initially backported those directly to CIPs v4.4-st14 and tested those on an ARM64 Android device from SONY. [1] I'm open for breaking down the changes into smaller batches. If that is beneficial please advice on how/where to split this batch. But for now I thought it would be useful to see the full set of changes intended. References: - https://lore.kernel.org/all/1478812710-17190-2-git-send-email-agruenba@xxxxxxxxxx/T/ - https://lkml.org/lkml/2016/6/24/564 - https://patchwork.kernel.org/project/linux-hardening/patch/alpine.LRH.2.20.1702150016220.32759@xxxxxxxxx/ - https://www.mail-archive.com/linux-kernel@xxxxxxxxxxxxxxx/msg2415740.html - https://lkml.org/lkml/2016/6/24/564 ---------------------------------------------------------------- Andreas Gruenbacher (4): proc: Pass file mode to proc_pid_make_inode selinux: Minor cleanups selinux: Clean up initialization of isec->sclass selinux: Convert isec->lock into a spinlock Casey Schaufler (1): LSM: Add /sys/kernel/security/lsm James Morris (2): security: introduce CONFIG_SECURITY_WRITABLE_HOOKS security: mark LSM hooks as __ro_after_init Ondrej Mosnacek (1): selinux: drop super_block backpointer from superblock_security_struct Paul Moore (2): selinux: fix inode_doinit_with_dentry() LABEL_INVALID error handling lsm,selinux: pass flowi_common instead of flowi to the LSM hooks Stephen Smalley (2): prlimit,security,selinux: add a security hook for prlimit security,selinux,smack: kill security_task_wait hook Tetsuo Handa (1): LSM: Initialize security_hook_heads upon registration. Tianyue Ren (1): selinux: fix error initialization in inode_doinit_with_dentry() bauen1 (1): selinux: allow dontauditx and auditallowx rules to take effect without allowx Documentation/security/LSM.txt | 7 ++ fs/proc/base.c | 23 ++-- fs/proc/fd.c | 6 +- fs/proc/internal.h | 2 +- fs/proc/namespaces.c | 3 +- include/linux/lsm_hooks.h | 50 +++++---- include/linux/security.h | 42 +++++--- include/net/flow.h | 10 ++ include/net/route.h | 6 +- kernel/exit.c | 19 +--- kernel/sys.c | 30 +++--- net/dccp/ipv4.c | 2 +- net/dccp/ipv6.c | 6 +- net/ipv4/icmp.c | 4 +- net/ipv4/inet_connection_sock.c | 4 +- net/ipv4/ip_output.c | 2 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 2 +- net/ipv4/syncookies.c | 2 +- net/ipv4/udp.c | 2 +- net/ipv6/af_inet6.c | 2 +- net/ipv6/icmp.c | 6 +- net/ipv6/inet6_connection_sock.c | 4 +- net/ipv6/netfilter/ip6t_SYNPROXY.c | 2 +- net/ipv6/netfilter/nf_reject_ipv6.c | 2 +- net/ipv6/ping.c | 2 +- net/ipv6/raw.c | 2 +- net/ipv6/syncookies.c | 2 +- net/ipv6/tcp_ipv6.c | 4 +- net/ipv6/udp.c | 2 +- net/l2tp/l2tp_ip6.c | 2 +- net/xfrm/xfrm_state.c | 6 +- security/Kconfig | 5 + security/apparmor/lsm.c | 5 +- security/commoncap.c | 5 +- security/inode.c | 26 ++++- security/security.c | 426 +++++++++++--------------------------------------------------------------- security/selinux/Kconfig | 6 ++ security/selinux/hooks.c | 156 +++++++++++++++++---------- security/selinux/include/classmap.h | 2 +- security/selinux/include/objsec.h | 6 +- security/selinux/include/xfrm.h | 2 +- security/selinux/selinuxfs.c | 4 +- security/selinux/ss/services.c | 4 +- security/selinux/xfrm.c | 8 +- security/smack/smack_lsm.c | 24 +---- security/tomoyo/tomoyo.c | 4 +- security/yama/yama_lsm.c | 4 +- 48 files changed, 359 insertions(+), 588 deletions(-)
