Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp3512506imb;
        Tue, 5 Mar 2019 11:14:50 -0800 (PST)
X-Google-Smtp-Source: APXvYqymQRHMrcqCxHqsAfb15Pu/h/344utHzy62l4mXvODtZI0VHNV17e0d+vVihofS9nBJjFHZ
X-Received: by 2002:a17:902:369:: with SMTP id 96mr2701979pld.249.1551813290780;
        Tue, 05 Mar 2019 11:14:50 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1551813290; cv=none;
        d=google.com; s=arc-20160816;
        b=NWDQtaUR+JFqmZK8yFI1k0BLfBnw+Li+60kK0gUw3u9H+x1qxO5V2L+rNfDHU6NvN0
         aMIgRyPXfnv0Lyv/z9/nKYrMLFSbR6vEBapsqmul03uD6FpTWJaUCrKDT/EE78qzkpWp
         wZ/3ktnTGaFvfa9DvAzToWB/KScu4xykrUWQ8hnMsr1o2IYNjRHMKZIFqlnGbbQJtLxt
         IhSuvbfzsd7t0Ju8JQesFFft9SwThjR5uoSm45j8x/1PQq+khE5/sKo9rpegns8jvVVh
         8JL0E1hOCbFFh3ka8aP2kmxzibJCX3hAj2Og6pliSByXUwrs1V6MnMgu9O+jdu83EdxI
         WWaQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:message-id
         :subject:cc:to:from:date;
        bh=tjdEWsi5RHyUPTBCUFV1T7KRB+8NKoojSDEXP3dTTz4=;
        b=GC0dpTLsEGM7MXi8pY7udHClvhz4+T435laJR6qsQ4dBfQQ3uwCJGMFYlENTsJwX+J
         v93oT9GAi4hYzONooRE3d5KIfKopxTuMQyxQll6HFNJv/9ACBB/qaZhoJ+dGnnO4aCKM
         TLZPHb6P+RQblnINB31OvNwdmTE1WVnALsUWps98Ncm9Mw8qaDMbgZTEeehFiNi4leZL
         FaUfD/sAEmzshCpSJPt6D1WpOs/2vhO5WST1V8I1dVa8bXhg9Mwv+Y2CvL59CVFFdpQM
         D8hpJ6bk1G6NcjZa/YgiEDTvMoelpVJNXfvp1FarIC6ssJdv5wvdRaDehBSifArkks75
         OKkg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 71si8284264pga.16.2019.03.05.11.14.35;
        Tue, 05 Mar 2019 11:14:50 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726661AbfCES5F (ORCPT <rfc822;stevepeted@gmail.com>
        + 99 others); Tue, 5 Mar 2019 13:57:05 -0500
Received: from namei.org ([65.99.196.166]:55540 "EHLO namei.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726088AbfCES5F (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 5 Mar 2019 13:57:05 -0500
Received: from localhost (localhost [127.0.0.1])
        by namei.org (8.14.4/8.14.4) with ESMTP id x25Iv3ig020498;
        Tue, 5 Mar 2019 18:57:03 GMT
Date:   Wed, 6 Mar 2019 05:57:03 +1100 (AEDT)
From:   James Morris <jmorris@namei.org>
To:     Linus Torvalds <torvalds@linux-foundation.org>
cc:     linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org
Subject: [GIT PULL] security subsystem changes for v5.1
Message-ID: <alpine.LRH.2.21.1903060540160.19551@namei.org>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Please pull these changes for the security subsystem.

Summary:

- Extend LSM stacking to allow sharing of cred, file, ipc, inode, and task 
blobs. This paves the way for more full-featured LSMs to be merged, and is 
specifically aimed at LandLock and SARA LSMs. This work is from Casey and 
Kees.

- There's a new LSM from Micah Morton: "SafeSetID gates the setid family 
of syscalls to restrict UID/GID transitions from a given UID/GID to only 
those approved by a system-wide whitelist."  This feature is currently 
shipping in ChromeOS.



---

The following changes since commit 49a57857aeea06ca831043acbb0fa5e0f50602fd:

  Linux 5.0-rc3 (2019-01-21 13:14:44 +1300)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-general

for you to fetch changes up to 468e91cecb3218afd684b8c422490dfebe0691bb:

  keys: fix missing __user in KEYCTL_PKEY_QUERY (2019-03-04 15:48:37 -0800)

----------------------------------------------------------------
Ben Dooks (1):
      keys: fix missing __user in KEYCTL_PKEY_QUERY

Casey Schaufler (19):
      LSM: Add all exclusive LSMs to ordered initialization
      procfs: add smack subdir to attrs
      Smack: Abstract use of cred security blob
      SELinux: Abstract use of cred security blob
      SELinux: Remove cred security blob poisoning
      SELinux: Remove unused selinux_is_enabled
      AppArmor: Abstract use of cred security blob
      TOMOYO: Abstract use of cred security blob
      Infrastructure management of the cred security blob
      SELinux: Abstract use of file security blob
      Smack: Abstract use of file security blob
      LSM: Infrastructure management of the file security
      SELinux: Abstract use of inode security blob
      Smack: Abstract use of inode security blob
      LSM: Infrastructure management of the inode security
      LSM: Infrastructure management of the task security
      SELinux: Abstract use of ipc security blobs
      Smack: Abstract use of ipc security blobs
      LSM: Infrastructure management of the ipc security blob

Gustavo A. R. Silva (1):
      security: mark expected switch fall-throughs and add a missing break

James Morris (3):
      Merge tag 'v5.0-rc1' into next-general
      Merge tag 'blob-stacking-security-next' of https://git.kernel.org/.../kees/linux into next-general
      Merge tag 'v5.0-rc3' into next-general

Kees Cook (20):
      LSM: Introduce LSM_FLAG_LEGACY_MAJOR
      LSM: Provide separate ordered initialization
      LSM: Plumb visibility into optional "enabled" state
      LSM: Lift LSM selection out of individual LSMs
      LSM: Build ordered list of LSMs to initialize
      LSM: Introduce CONFIG_LSM
      LSM: Introduce "lsm=" for boottime LSM selection
      LSM: Tie enabling logic to presence in ordered list
      LSM: Prepare for reorganizing "security=" logic
      LSM: Refactor "security=" in terms of enable/disable
      LSM: Separate idea of "major" LSM from "exclusive" LSM
      apparmor: Remove SECURITY_APPARMOR_BOOTPARAM_VALUE
      selinux: Remove SECURITY_SELINUX_BOOTPARAM_VALUE
      LSM: Split LSM preparation from initialization
      LoadPin: Initialize as ordered LSM
      Yama: Initialize as ordered LSM
      LSM: Introduce enum lsm_order
      capability: Initialize as LSM_ORDER_FIRST
      TOMOYO: Update LSM flags to no longer be exclusive
      LSM: Ignore "security=" when "lsm=" is specified

Mathieu Malaterre (4):
      capabilities:: annotate implicit fall through
      security: keys: annotate implicit fall through
      security: keys: annotate implicit fall throughs
      security: keys: annotate implicit fall throughs

Micah Morton (8):
      LSM: generalize flag passing to security_capable
      LSM: add SafeSetID module that gates setid calls
      LSM: add SafeSetID module that gates setid calls
      LSM: Add 'name' field for SafeSetID in DEFINE_LSM
      LSM: SafeSetID: 'depend' on CONFIG_SECURITY
      LSM: SafeSetID: remove unused include
      LSM: SafeSetID: add selftest
      LSM: Update function documentation for cap_capable

Petr Vorel (1):
      LSM: Update list of SECURITYFS users in Kconfig

Tetsuo Handa (6):
      LSM: Make lsm_early_cred() and lsm_early_task() local functions.
      apparmor: Adjust offset when accessing task blob.
      tomoyo: Swicth from cred->security to task_struct->security.
      tomoyo: Coding style fix.
      tomoyo: Allow multiple use_group lines.
      tomoyo: Bump version.

Wei Yongjun (2):
      LSM: Make some functions static
      LSM: fix return value check in safesetid_init_securityfs()

 Documentation/admin-guide/LSM/SafeSetID.rst        | 107 ++++
 Documentation/admin-guide/LSM/index.rst            |  14 +-
 Documentation/admin-guide/kernel-parameters.txt    |  12 +-
 MAINTAINERS                                        |  11 +-
 fs/proc/base.c                                     |  64 +-
 fs/proc/internal.h                                 |   1 +
 include/linux/capability.h                         |   5 +
 include/linux/cred.h                               |   1 -
 include/linux/lsm_hooks.h                          |  45 +-
 include/linux/security.h                           |  43 +-
 include/linux/selinux.h                            |  35 --
 kernel/capability.c                                |  45 +-
 kernel/cred.c                                      |  13 -
 kernel/seccomp.c                                   |   4 +-
 kernel/sys.c                                       |  10 +-
 security/Kconfig                                   |  45 +-
 security/Makefile                                  |   2 +
 security/apparmor/Kconfig                          |  16 -
 security/apparmor/capability.c                     |  14 +-
 security/apparmor/domain.c                         |   4 +-
 security/apparmor/include/capability.h             |   2 +-
 security/apparmor/include/cred.h                   |  16 +-
 security/apparmor/include/file.h                   |   5 +-
 security/apparmor/include/lib.h                    |   4 +
 security/apparmor/include/task.h                   |  18 +-
 security/apparmor/ipc.c                            |   3 +-
 security/apparmor/lsm.c                            |  67 +--
 security/apparmor/resource.c                       |   2 +-
 security/apparmor/task.c                           |   6 +-
 security/commoncap.c                               |  28 +-
 security/integrity/ima/ima_appraise.c              |   1 +
 security/integrity/ima/ima_policy.c                |   4 +
 security/integrity/ima/ima_template_lib.c          |   1 +
 security/keys/keyctl.c                             |   2 +-
 security/keys/keyring.c                            |   1 +
 security/keys/process_keys.c                       |   3 +
 security/keys/request_key.c                        |   4 +
 security/loadpin/loadpin.c                         |   8 +-
 security/safesetid/Kconfig                         |  14 +
 security/safesetid/Makefile                        |   7 +
 security/safesetid/lsm.c                           | 277 +++++++++
 security/safesetid/lsm.h                           |  33 ++
 security/safesetid/securityfs.c                    | 193 ++++++
 security/security.c                                | 648 ++++++++++++++++++---
 security/selinux/Kconfig                           |  15 -
 security/selinux/Makefile                          |   2 +-
 security/selinux/exports.c                         |  23 -
 security/selinux/hooks.c                           | 362 +++---------
 security/selinux/include/audit.h                   |   3 -
 security/selinux/include/objsec.h                  |  38 +-
 security/selinux/selinuxfs.c                       |   4 +-
 security/selinux/ss/services.c                     |   1 -
 security/selinux/xfrm.c                            |   4 +-
 security/smack/smack.h                             |  44 +-
 security/smack/smack_access.c                      |   6 +-
 security/smack/smack_lsm.c                         | 317 ++++------
 security/smack/smackfs.c                           |  18 +-
 security/tomoyo/audit.c                            |  31 +-
 security/tomoyo/common.c                           | 199 +++++--
 security/tomoyo/common.h                           |  51 +-
 security/tomoyo/condition.c                        |  59 +-
 security/tomoyo/domain.c                           |  76 ++-
 security/tomoyo/file.c                             |  20 +
 security/tomoyo/gc.c                               |  19 +
 security/tomoyo/group.c                            |   5 +
 security/tomoyo/load_policy.c                      |   8 +-
 security/tomoyo/memory.c                           |   9 +-
 security/tomoyo/mount.c                            |   2 +
 security/tomoyo/realpath.c                         |  18 +-
 security/tomoyo/securityfs_if.c                    |  30 +-
 security/tomoyo/tomoyo.c                           | 160 +++--
 security/tomoyo/util.c                             |  23 +-
 security/yama/yama_lsm.c                           |   8 +-
 tools/testing/selftests/safesetid/.gitignore       |   1 +
 tools/testing/selftests/safesetid/Makefile         |   8 +
 tools/testing/selftests/safesetid/config           |   2 +
 tools/testing/selftests/safesetid/safesetid-test.c | 334 +++++++++++
 .../testing/selftests/safesetid/safesetid-test.sh  |  26 +
 78 files changed, 2674 insertions(+), 1090 deletions(-)
 create mode 100644 Documentation/admin-guide/LSM/SafeSetID.rst
 delete mode 100644 include/linux/selinux.h
 create mode 100644 security/safesetid/Kconfig
 create mode 100644 security/safesetid/Makefile
 create mode 100644 security/safesetid/lsm.c
 create mode 100644 security/safesetid/lsm.h
 create mode 100644 security/safesetid/securityfs.c
 delete mode 100644 security/selinux/exports.c
 create mode 100644 tools/testing/selftests/safesetid/.gitignore
 create mode 100644 tools/testing/selftests/safesetid/Makefile
 create mode 100644 tools/testing/selftests/safesetid/config
 create mode 100644 tools/testing/selftests/safesetid/safesetid-test.c
 create mode 100755 tools/testing/selftests/safesetid/safesetid-test.sh