Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp3076668pxu; Mon, 14 Dec 2020 20:15:42 -0800 (PST) X-Google-Smtp-Source: ABdhPJxpqDPnVxcM3DzLpNKVmy/fvZUX95mKEr6YcrtQRCaombGmxeR6E87pE3YU9mOefTSJoCiq X-Received: by 2002:aa7:db01:: with SMTP id t1mr27690247eds.185.1608005742141; Mon, 14 Dec 2020 20:15:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608005742; cv=none; d=google.com; s=arc-20160816; b=GSoX8LElCudjGUG5cLfF3ApahuqLB1W9RK2ShXksYzLaLoOgGOJgPe5y+0awkhe2DY Tx0MODnBJmUyAb1CYmGRWM5yNsB6K8jHXxhGUOyiL6TrWppdj9HDXKxfBtCsXpnD2gyM ig50XtJmbRtlf2qtHK3JsDsOFLZLo4nG9IK2SzjHuRpRGKUzpObsUcSzAIUfOnI1N4wz tp88YHc3mlwYZMQP7F6j5VwzVEeiqNd4DEqpHbbTpb3g2sRBIrm7F2TS9H2DK4qPuGQa W/kbo8SuvOm2CFYgPcFbm1RCMmAMAfE4LNUSFO5k894IbXUzY64l7Kb9sK+fdh1d6kkC 881w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:mime-version :dkim-signature; bh=epG8wiJEk1ZMX2bNaXtx4G2PAZzvvEvXiU4VYVabbH0=; b=GDoW9+vrC5Gtfsvwb7NLrAbxt62yp4JSMo5BLCRuE5AxaNlYmYIcFpwdkkoPwn1nEQ ngIwlyyhPN5N7cu3yds/w6jDUWskBDNpf/E0RUTGmTuCLDuaCA+dU7z3DVfAFcZWhCvG flqiAtQL71h5YeOgpVivIR7GAP+nmfzNlfPGuCbuad32NthOa3Zsr+ih5bqvj98IfmEm 3qai4lkVpfasV11TLXMtH8M09Dpc5p8U5ZHFkvhNhUdwFaWU8704YuGloBVqFBjIiQEQ N25KIhrcZzXO0mqGXxYhlsy3Uqgfa6pDv7UmIX6a+OLy+4Cf7qE+CNnTuVGQe8O2Ve6U ySRQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=UDsWdaFA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id rp28si257101ejb.10.2020.12.14.20.15.19; Mon, 14 Dec 2020 20:15:42 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=UDsWdaFA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726385AbgLOCUJ (ORCPT + 99 others); Mon, 14 Dec 2020 21:20:09 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42828 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726700AbgLOCTN (ORCPT ); Mon, 14 Dec 2020 21:19:13 -0500 Received: from mail-ej1-x642.google.com (mail-ej1-x642.google.com [IPv6:2a00:1450:4864:20::642]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F3A9CC0617A7 for ; Mon, 14 Dec 2020 18:18:32 -0800 (PST) Received: by mail-ej1-x642.google.com with SMTP id x16so25423648ejj.7 for ; Mon, 14 Dec 2020 18:18:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to:cc; bh=epG8wiJEk1ZMX2bNaXtx4G2PAZzvvEvXiU4VYVabbH0=; b=UDsWdaFAysTob03FiK+EApVxXkCX+rRhlkA9bnaihv6Y03By2IpV1OjJpvTBg6Yquf 0CIIvtiajxrLuO776i3rhBnZfS/Pyl0TUIyNBb6hnRhaay4QoUAVhcRv5oQNVAqdZbwu w5eKz9fqgLvOlvBuj9r6z1lrk3m3tVC3VnpTzcIvbY8IvQzZr/S0dekG/C0TAoqpbGN3 mV3YZBgtx54LyqOEDnO6qveWVlI8Hs40RppalkzHd17Dy2tC/EpTihEOL1efih+CirxR erZ09FaAxP5FhymaqG7wTZBWDzhuMmnFBjC+CpItQsieELQjFcHIfPoR9N2BFZIKuNn+ EXfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=epG8wiJEk1ZMX2bNaXtx4G2PAZzvvEvXiU4VYVabbH0=; b=uNC/In/pd6xaTNkmTWweAAyuBCQ1Nblu75V/rlymmtU9xsK6ely2AzFvQQRwIMHGST 9o2jW41k/Clwzca1nriPdZBk7pvWIKhn7vjSSh2BcG7MmXaPh31EHue2Cd9Mxfmv5MMo JgO71UhsRcuwYQYY6713SvJ+FlY4GiUsYePFyO3xaofcaqSSRWZ+S4pEiNXs8U9a4DoB P59uieaP+0a6tprXzu5uqU3pcFm9g1r684XtSTNAPYDhD7a9NJq+E1lVFJ9nf3pnFjwY vPd2AYe0J8a3hslXSaNjIzneh+gOtV2mCz6yHYj5b25Vs4JFhQFeUdCD90S83jmQj4Q/ UTGg== X-Gm-Message-State: AOAM533EYVfAC2cXJ8xyVio1hF7zOzlBgjOApZ8xop/JjOrmXtx1Rzij MMyKPTopPmu+ukVGvXGEmP8OZo0Jq3oBRXInfn8T X-Received: by 2002:a17:906:aec6:: with SMTP id me6mr6267598ejb.542.1607998711594; Mon, 14 Dec 2020 18:18:31 -0800 (PST) MIME-Version: 1.0 From: Paul Moore Date: Mon, 14 Dec 2020 21:18:20 -0500 Message-ID: Subject: [GIT PULL] SELinux patches for v5.11 To: Linus Torvalds Cc: selinux@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Linus, While we have a small number of SELinux patches for v5.11, there are a few changes worth highlighting: - Change the LSM network hooks to pass flowi_common structs instead of the parent flowi struct as the LSMs do not currently need the full flowi struct and they do not have enough information to use it safely (missing information on the address family). This patch was discussed both with Herbert Xu (representing team netdev) and James Morris (representing team LSMs-other-than-SELinux). - Fix how we handle errors in inode_doinit_with_dentry() so that we attempt to properly label the inode on following lookups instead of continuing to treat it as unlabeled. - Tweak the kernel logic around allowx, auditallowx, and dontauditx SELinux policy statements such that the auditx/dontauditx are effective even without the allowx statement. Everything passes our test suite and as of an hour or two ago it applies cleanly to your tree; please merge for v5.11. Thanks, -Paul -- The following changes since commit 3650b228f83adda7e5ee532e2b90429c03f7b9ec: Linux 5.10-rc1 (2020-10-25 15:14:11 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git tags/selinux-pr-20201214 for you to fetch changes up to 3df98d79215ace13d1e91ddfc5a67a0f5acbd83f: lsm,selinux: pass flowi_common instead of flowi to the LSM hooks (2020-11-23 18:36:21 -0500) ---------------------------------------------------------------- selinux/stable-5.11 PR 20201214 ---------------------------------------------------------------- Gustavo A. R. Silva (1): selinux: Fix fall-through warnings for Clang Ondrej Mosnacek (1): selinux: drop super_block backpointer from superblock_security_struct Paul Moore (2): selinux: fix inode_doinit_with_dentry() LABEL_INVALID error handling lsm,selinux: pass flowi_common instead of flowi to the LSM hooks Tianyue Ren (1): selinux: fix error initialization in inode_doinit_with_dentry() bauen1 (1): selinux: allow dontauditx and auditallowx rules to take effect without allowx .../chelsio/inline_crypto/chtls/chtls_cm.c | 2 +- drivers/net/wireguard/socket.c | 4 ++-- include/linux/lsm_hook_defs.h | 4 ++-- include/linux/lsm_hooks.h | 2 +- include/linux/security.h | 23 +++++++++------- include/net/flow.h | 10 +++++++++ include/net/route.h | 6 ++--- net/dccp/ipv4.c | 2 +- net/dccp/ipv6.c | 6 ++--- net/ipv4/icmp.c | 4 ++-- net/ipv4/inet_connection_sock.c | 4 ++-- net/ipv4/ip_output.c | 2 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 2 +- net/ipv4/syncookies.c | 2 +- net/ipv4/udp.c | 2 +- net/ipv6/af_inet6.c | 2 +- net/ipv6/datagram.c | 2 +- net/ipv6/icmp.c | 6 ++--- net/ipv6/inet6_connection_sock.c | 4 ++-- net/ipv6/netfilter/nf_reject_ipv6.c | 2 +- net/ipv6/ping.c | 2 +- net/ipv6/raw.c | 2 +- net/ipv6/syncookies.c | 2 +- net/ipv6/tcp_ipv6.c | 4 ++-- net/ipv6/udp.c | 2 +- net/l2tp/l2tp_ip6.c | 2 +- net/netfilter/nf_synproxy_core.c | 2 +- net/xfrm/xfrm_state.c | 6 +++-- security/security.c | 17 +++++++------- security/selinux/hooks.c | 26 ++++++++++++------ security/selinux/include/objsec.h | 1 - security/selinux/include/xfrm.h | 2 +- security/selinux/ss/services.c | 4 +--- security/selinux/xfrm.c | 13 ++++++----- 35 files changed, 101 insertions(+), 77 deletions(-) -- paul moore www.paul-moore.com