Received: by 10.213.65.68 with SMTP id h4csp194669imn; Tue, 3 Apr 2018 18:39:19 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/kyCJ441MteTC+V2y91U1qcHKpwlCCCGPSBxawTtfvjO+vQGBcKMX1ue/AXxSxtFTSzb72 X-Received: by 10.99.163.9 with SMTP id s9mr10640722pge.187.1522805959352; Tue, 03 Apr 2018 18:39:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522805959; cv=none; d=google.com; s=arc-20160816; b=cCan/14y4uL+tyHwh4aIFUQxMmwxSi4bGbShthzdDWW2BgU3t6BtlVl9wwKerAcvFL x4cAlxA0kdCLIJSKoSyL9bKvcUUkuytmAkq0NM6CxCnhmvSGh6saVDDP6X+XXV1nomvQ Y4NMPmTDZ1K1jV/KGrxKfm228LnA5fYH9AJ5Uf4W1W2bMMq1LKtmUJ55n/66xLEWcx7F VUMyBUcvEGMntphWsqlGsiWnBEzpBx3S2Iv4bkifpsMuNIlOB5ps097Sm1kgkty6cZs9 0qIQZyIbfYJAply/wKgORomgYiX8DVNQKG82MeJJz2QbGFvzw1vMfE99j05Ej09ObV4z Tlow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :mime-version:dkim-signature:arc-authentication-results; bh=/4bCqMAcGVVNnqypOcHAyxmovSSyaPyp6oTORqp9Vsk=; b=bVZw1Vlnyfu4MobtCiRlSxbXHIVt45Fli5GoouZ8NwVhXGGdZBuWUYUuHhjHG5Uj3K aQdb5VO7aNKxGQIqVEJGL3NenaXrKkAdVQp2Dp0rQ5D1Y1OVHfJVyiG9u8ieaGrBTNle AgJ8MRkQ1y5GmOkCLB1karLjiDx07yz3MGDJZmIwucWNee3rEqx0ulS8ym3Dfd7Yeg0Z oYuOJ4d0gMqv8qmOSoQ9PolYthVjYGA17mfYP8yTbkEa6LQ6NeQceqXN+gIMutmfjnU1 xJnTIRwCX3g1MY8uoSWyba5OyY9/v3KWGHbzNzTPHUfInIEdCHQ/Mf/A42MdcL/8L2Za 1rsA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=zx56zrAs; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q184si2795201pga.63.2018.04.03.18.39.05; Tue, 03 Apr 2018 18:39:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=zx56zrAs; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754877AbeDDBhQ (ORCPT + 99 others); Tue, 3 Apr 2018 21:37:16 -0400 Received: from mail-lf0-f47.google.com ([209.85.215.47]:43398 "EHLO mail-lf0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754700AbeDDBhO (ORCPT ); Tue, 3 Apr 2018 21:37:14 -0400 Received: by mail-lf0-f47.google.com with SMTP id v207-v6so22911568lfa.10 for ; Tue, 03 Apr 2018 18:37:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to:cc; bh=/4bCqMAcGVVNnqypOcHAyxmovSSyaPyp6oTORqp9Vsk=; b=zx56zrAsl4QwKv00+nC3jgk+wKvd06AFZVx1TsFH5RmzybXjYynepBuyT7olXfIoGK v5koEy7UK84cH7QbhUwuiz8Hx2q+WTmuPLibDSatOv09bED5YncqV6OIk1mGyT2usH3X sZZxN8+PkkH40YAHKQcxHJgDPCT+Y/BYDRTcv93w3cabSqlymhHHQe9hVQhM9/eutlOB v9Y9ZsqugaMHTg/UeIeHZnYwF+Q3P965sbzr7sByPDx4PpJDs6KDZthZGOJViQIgMy/o Gefd1EkL/62+DpMJpQqw3yczAzbaheQN67h+YAeRLUzakFPE4yv9RjyoPdeXPzENCIzG el9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=/4bCqMAcGVVNnqypOcHAyxmovSSyaPyp6oTORqp9Vsk=; b=g274AoL3Np7rsXDj5n+aK1zL9k1wPBBjlYgw4vSt/8BqTQwTPrJe/ln4PU6oCxQnwD 8ogdT7cJG6zId5mSAEFOLDMHVohmiTRaQHUl8b0RDzDXQazGja5JdQdMmvs9z2e2e2CZ B2QG4ddEJ9ny5YWck7e0sPu0LrlVQcnFL/amiX92jttg2PFZzFiryTtKI1tVVmV6nlci 6laAFxFs9G1ktStjWIsYXZmRPd31NLbdCAIDAWboIAEZPFGeCa1j1fFs+k0wEaXOK4bv bvv2lqBDfIqUMnwcwyiwM9oAlVuKaMRWfcCsNuRphMFZrQ/bU7TvK1up74m7z0IsLFyD H4HA== X-Gm-Message-State: ALQs6tBgGZCGJpnfjoMGV01zJMzdTp+vFHRHfiG91EUg5jZAJPBjssYo 7DsNsBgzRdKcI+4AvH3OqbSqDO+uRlRJGY8MXa3P X-Received: by 2002:a19:1508:: with SMTP id l8-v6mr10084063lfi.139.1522805832591; Tue, 03 Apr 2018 18:37:12 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a19:a5c3:0:0:0:0:0 with HTTP; Tue, 3 Apr 2018 18:37:11 -0700 (PDT) X-Originating-IP: [108.20.156.165] From: Paul Moore Date: Tue, 3 Apr 2018 21:37:11 -0400 Message-ID: Subject: [GIT PULL] SELinux patches for v4.17 To: Linus Torvalds Cc: selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Linus, A bigger than usual pull request for SELinux, 13 patches (lucky!) along with a scary looking diffstat. Although if you look a bit closer, excluding the usual minor tweaks/fixes, there are really only two significant changes in this pull request: the addition of proper SELinux access controls for SCTP and the encapsulation of a lot of internal SELinux state. The SCTP changes are the result of a multi-month effort (maybe even a year or longer?) between the SELinux folks and the SCTP folks to add proper SELinux controls. A special thanks go to Richard for seeing this through and keeping the effort moving forward. The state encapsulation work is a bit of janitorial work that came out of some early work on SELinux namespacing. The question of namespacing is still an open one, but I believe there is some real value in the encapsulation work so we've split that out and are now sending that up to you. Everything passes the selinux-testsuite, but there are a few known merge conflicts. The first is with the netdev tree and is in net/sctp/socket.c. Unfortunately it is a bit ugly, thankfully Stephen Rothwell has already done the heavy lifting in resolving the merge for you, and the SCTP folks have given his merge patch a thumbs-up. Link below: * https://marc.info/?l=linux-netdev&m=152047486123499&w=2 There are also two conflicts with James' security tree, both rather easy. The first is in security/selinux/hooks.c and is quite trivial, but since I've got the linux-next archive handy, here is a link to the merge fixup: * https://marc.info/?l=linux-next&m=152160312324537&w=2 The second security/SELinux conflict is in include/linux/lsm_hooks.h and while the size of the fixup is scary at first, it is really just the three new LSM/SCTP hooks and isn't that bad at all: * https://marc.info/?l=linux-next&m=152273068901460&w=2 In the past I know you have preferred to handle your own merge conflict resolution, but the above is a bit more than usual, at least for the SELinux tree. If you would prefer that I handle the merge conflicts and send you a new PR (or something else), let me know. Thanks, -Paul -- The following changes since commit 7928b2cbe55b2a410a0f5c1f154610059c57b1b2: Linux 4.16-rc1 (2018-02-11 15:04:29 -0800) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git tags/selinux -pr-20180403 for you to fetch changes up to 6b6bc6205d98796361962ee282a063f18ba8dc57: selinux: wrap AVC state (2018-03-20 16:58:17 -0400) ---------------------------------------------------------------- selinux/stable-4.17 PR 20180403 ---------------------------------------------------------------- Arnd Bergmann (1): selinux: fix typo in selinux_netlbl_sctp_sk_clone declaration Paul Moore (1): selinux: rename the {is,set}_enforcing() functions Richard Haines (7): netlabel: If PF_INET6, check sk_buff ip header version security: Add support for SCTP security hooks sctp: Add ip option support sctp: Add LSM hooks selinux: Add SCTP support selinux: Fix ltp test connect-syscall failure selinux: Update SELinux SCTP documentation Stephen Smalley (4): selinux: wrap global selinux state selinux: fix handling of uninitialized selinux state in get_bools/classes selinux: wrap selinuxfs state selinux: wrap AVC state Documentation/security/LSM-sctp.rst | 175 +++++ Documentation/security/SELinux-sctp.rst | 158 +++++ include/linux/lsm_hooks.h | 36 + include/linux/security.h | 25 + include/net/sctp/sctp.h | 4 +- include/net/sctp/structs.h | 12 + include/uapi/linux/sctp.h | 1 + net/netlabel/netlabel_unlabeled.c | 10 + net/sctp/chunk.c | 10 +- net/sctp/ipv6.c | 45 +- net/sctp/output.c | 34 +- net/sctp/protocol.c | 43 ++ net/sctp/sm_make_chunk.c | 12 + net/sctp/sm_statefuns.c | 18 + net/sctp/socket.c | 73 +- security/security.c | 22 + security/selinux/avc.c | 282 ++++---- security/selinux/hooks.c | 922 +++++++++++++++++++------- security/selinux/ibpkey.c | 3 +- security/selinux/include/avc.h | 38 +- security/selinux/include/avc_ss.h | 9 +- security/selinux/include/classmap.h | 2 +- security/selinux/include/conditional.h | 11 +- security/selinux/include/netlabel.h | 22 +- security/selinux/include/objsec.h | 6 +- security/selinux/include/security.h | 231 +++++-- security/selinux/netif.c | 2 +- security/selinux/netlabel.c | 148 ++++- security/selinux/netnode.c | 4 +- security/selinux/netport.c | 2 +- security/selinux/selinuxfs.c | 493 ++++++++------ security/selinux/ss/avtab.c | 9 +- security/selinux/ss/avtab.h | 3 - security/selinux/ss/ebitmap.c | 7 +- security/selinux/ss/ebitmap.h | 3 - security/selinux/ss/hashtab.c | 8 +- security/selinux/ss/hashtab.h | 4 - security/selinux/ss/mls.c | 72 +- security/selinux/ss/mls.h | 38 +- security/selinux/ss/services.c | 1100 ++++++++++++++++++------------- security/selinux/ss/services.h | 24 +- security/selinux/ss/status.c | 47 +- security/selinux/xfrm.c | 23 +- 43 files changed, 2939 insertions(+), 1252 deletions(-) create mode 100644 Documentation/security/LSM-sctp.rst create mode 100644 Documentation/security/SELinux-sctp.rst -- paul moore www.paul-moore.com