Received: by 2002:a05:7412:798b:b0:fc:a2b0:25d7 with SMTP id fb11csp701659rdb; Thu, 22 Feb 2024 17:50:48 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCWrCJTPDu7Wf+f2P7hvH5lwQk35EPlW5uHpvKXMnUoDBviBSQAy4XTdyCSOxw1tseRfUe1fsH0TBHsTiMzZ7+5bmSW4bVEvrogllhHoJQ== X-Google-Smtp-Source: AGHT+IFtUwD+61g8f+D7wpFpF7YrHQE8EopXG4cjJqvH8gE+XPOI7b4DTkcbWcjpMM7PUgSqmdNq X-Received: by 2002:ac8:7eef:0:b0:42e:5f63:6fee with SMTP id r15-20020ac87eef000000b0042e5f636feemr953535qtc.32.1708653048426; Thu, 22 Feb 2024 17:50:48 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708653048; cv=pass; d=google.com; s=arc-20160816; b=VbWo9GRjUdkQdmFFC/UdjmSmxkplZ/DnuhkPmN8rJ6cKVcI+Jv9bKXPURpSJ5vuH4C nWArmWoCs/M+Vt8cnmWct1la4onu5lyD7MNE7j8eHyRXKor87hzUilaa/l4R9uAmPAOv 1EnCHb6quqN9gZNfum7aGmZ2na/Wp+OT8HmcJkdgP7694KJSgrpYkwMyUNmnEdUsLxxg Cc2MoDPsW9MT6ueLo0q2CG9U+Eal8iJuxXrvRo9JB0tNwhE8E+nsZQzkWLz44qKuWQjT 6m1L6lbEHH4PomDuwrCTBdArJVGj87bCWzSTWexR6NW8ybC4YUBDXGs14L/ODOs+uPUs SC2A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence :message-id:subject:cc:to:from:date:dkim-signature; bh=uuyXxSqtakaPAQV/y8aASUxaDXqmMJlArJZheVqoNb8=; fh=xzxXAmVa/vL5dbz/Vd23+/nQ6GOw0qi1VHF69dCRns8=; b=hOb5VKQ8zgSM4NFibr42IXqyDgTIauNQQvg1sNLRjhl+eRSOTn2AYpYhqO4lzJukGB t1QmEm4c11RVy38+nHsupL8SWR8e0JIo3GyRDX7Shn97U/6hDrDivIuJT4vvb4pppOoN YGGueMkejAIxO7iOflyd6dyhiCFSvO/P5w7159J8P68P9yEYiG8TkGAMvR+30kt7CHRD ozg9L0YtLytmKoCaRF616EyL4PXfCQQEDbLxTHt8NBY4s0zItB5SDqHpj/MsxX/prPvl jU5lcwT/EPpnFWEE1LIGKTSnk63609L7zG1CPjfyuH7Pf9pbzeu4aWEPhpgr6FlN6xSZ IDdQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@canb.auug.org.au header.s=201702 header.b=mxoq4V5j; arc=pass (i=1 spf=pass spfdomain=canb.auug.org.au dkim=pass dkdomain=canb.auug.org.au dmarc=pass fromdomain=canb.auug.org.au); spf=pass (google.com: domain of linux-kernel+bounces-77651-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-77651-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=canb.auug.org.au Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id g19-20020ac870d3000000b0042e61e5a09asi223861qtp.106.2024.02.22.17.50.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Feb 2024 17:50:48 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-77651-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@canb.auug.org.au header.s=201702 header.b=mxoq4V5j; arc=pass (i=1 spf=pass spfdomain=canb.auug.org.au dkim=pass dkdomain=canb.auug.org.au dmarc=pass fromdomain=canb.auug.org.au); spf=pass (google.com: domain of linux-kernel+bounces-77651-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-77651-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=canb.auug.org.au Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 084BB1C21AA5 for ; Fri, 23 Feb 2024 01:50:48 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 9772DBA30; Fri, 23 Feb 2024 01:50:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=canb.auug.org.au header.i=@canb.auug.org.au header.b="mxoq4V5j" Received: from gandalf.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 847C9AD53; Fri, 23 Feb 2024 01:50:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=150.107.74.76 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708653035; cv=none; b=mzLXK4+1+0REivRmVXwgPGcLQt9MbG7G9zk/yNe0wyv2yzihbLIpFDVtTJdcuVxN5005UqVQ+Qn+A6lo3tv2X09c4EqwWy+QyItstMWlTf+8p/btE8KiI5vp9krmPO8oOCpXspy/EKWT7kahzU/7uAcWKcu1Tdj4t4A05PLRUBk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708653035; c=relaxed/simple; bh=TO9aSmC1qF+2Vi3+58lvCecuRJcGdfmPoYzFPgBvLh4=; h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type; b=q1t8CyXQ50BldY2evLRmo3v5Bt5OK9GnLTwIppo3wED/LCSq7l2vcMHxmLmXHZ9r0JEE4k+hmlceWXlwB1X9xQOno/hvCVXo7Oi8H8gvRyFnovRgFiLPp9Nrk6O5Kz+mdnloc5ZcgEPvTbFXxXsWH/4JyKD8O0E5Pq5t6D1dRLs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=canb.auug.org.au; spf=pass smtp.mailfrom=canb.auug.org.au; dkim=pass (2048-bit key) header.d=canb.auug.org.au header.i=@canb.auug.org.au header.b=mxoq4V5j; arc=none smtp.client-ip=150.107.74.76 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=canb.auug.org.au Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=canb.auug.org.au DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canb.auug.org.au; s=201702; t=1708653030; bh=uuyXxSqtakaPAQV/y8aASUxaDXqmMJlArJZheVqoNb8=; h=Date:From:To:Cc:Subject:From; b=mxoq4V5jTdP6nBNw+E4kSJ9rHS3+MpHGdPnIoFB9bD6agKfzDCui49GfiwtRTagus xEZrYpNlIhH8r/t5pNDB5ShAuvWQUC7dn/qtY1u+zmaIpLRMly1FW4i0VCLNwU2ViU m1rYKh9CPNfXaIxgxfFyeP00jG/mb13xNHmID+1mcfflgQwbadZbl0attRpicaG7JG 6GD/T9lTESKCQziAoqY79SHDWf9lj3nZPJdPmhGydMFwy0KWUjW/kYeQujwnX4X7VD JD8F0v60VWPqxV/97wk/DDVsnU7reF3VXKAh6PDwYmdK1aF5z1b7SA9DbbAk2n3hjr r/aROdV2W1FIA== Received: from authenticated.ozlabs.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.ozlabs.org (Postfix) with ESMTPSA id 4TgtJ55hQbz4wcR; Fri, 23 Feb 2024 12:50:29 +1100 (AEDT) Date: Fri, 23 Feb 2024 12:50:27 +1100 From: Stephen Rothwell To: Paul Moore , David Miller , Jakub Kicinski , Paolo Abeni Cc: Networking , Alexei Starovoitov , Andrii Nakryiko , Linux Kernel Mailing List , Linux Next Mailing List , Ondrej Mosnacek Subject: linux-next: manual merge of the security tree with the net-next tree Message-ID: <20240223125027.1c9f4f07@canb.auug.org.au> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_//dCjoofoYCR0aUn90YdCSxX"; protocol="application/pgp-signature"; micalg=pgp-sha256 --Sig_//dCjoofoYCR0aUn90YdCSxX Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Hi all, Today's linux-next merge of the security tree got a conflict in: security/security.c between commits: 1b67772e4e3f ("bpf,lsm: Refactor bpf_prog_alloc/bpf_prog_free LSM hooks") a2431c7eabcf ("bpf,lsm: Refactor bpf_map_alloc/bpf_map_free LSM hooks") f568a3d49af9 ("bpf,lsm: Add BPF token LSM hooks") from the net-next tree and commit: 260017f31a8c ("lsm: use default hook return value in call_int_hook()") from the security tree. I fixed it up (I think, see below) and can carry the fix as necessary. This is now fixed as far as linux-next is concerned, but any non trivial conflicts should be mentioned to your upstream maintainer when your tree is submitted for merging. You may also want to consider cooperating with the maintainer of the conflicting tree to minimise any particularly complex conflicts. --=20 Cheers, Stephen Rothwell diff --cc security/security.c index aef69632d0a9,b95772333d05..000000000000 --- a/security/security.c +++ b/security/security.c @@@ -5458,10 -5436,9 +5439,10 @@@ int security_bpf_prog(struct bpf_prog * * * Return: Returns 0 on success, error on failure. */ -int security_bpf_map_alloc(struct bpf_map *map) +int security_bpf_map_create(struct bpf_map *map, union bpf_attr *attr, + struct bpf_token *token) { - return call_int_hook(bpf_map_create, 0, map, attr, token); - return call_int_hook(bpf_map_alloc_security, map); ++ return call_int_hook(bpf_map_create, map, attr, token); } =20 /** @@@ -5476,59 -5449,9 +5457,59 @@@ * * Return: Returns 0 on success, error on failure. */ -int security_bpf_prog_alloc(struct bpf_prog_aux *aux) +int security_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr, + struct bpf_token *token) { - return call_int_hook(bpf_prog_load, 0, prog, attr, token); - return call_int_hook(bpf_prog_alloc_security, aux); ++ return call_int_hook(bpf_prog_load, prog, attr, token); +} + +/** + * security_bpf_token_create() - Check if creating of BPF token is allowed + * @token: BPF token object + * @attr: BPF syscall attributes used to create BPF token + * @path: path pointing to BPF FS mount point from which BPF token is cre= ated + * + * Do a check when the kernel instantiates a new BPF token object from BP= F FS + * instance. This is also the point where LSM blob can be allocated for L= SMs. + * + * Return: Returns 0 on success, error on failure. + */ +int security_bpf_token_create(struct bpf_token *token, union bpf_attr *at= tr, + struct path *path) +{ - return call_int_hook(bpf_token_create, 0, token, attr, path); ++ return call_int_hook(bpf_token_create, token, attr, path); +} + +/** + * security_bpf_token_cmd() - Check if BPF token is allowed to delegate + * requested BPF syscall command + * @token: BPF token object + * @cmd: BPF syscall command requested to be delegated by BPF token + * + * Do a check when the kernel decides whether provided BPF token should a= llow + * delegation of requested BPF syscall command. + * + * Return: Returns 0 on success, error on failure. + */ +int security_bpf_token_cmd(const struct bpf_token *token, enum bpf_cmd cm= d) +{ - return call_int_hook(bpf_token_cmd, 0, token, cmd); ++ return call_int_hook(bpf_token_cmd, token, cmd); +} + +/** + * security_bpf_token_capable() - Check if BPF token is allowed to delega= te + * requested BPF-related capability + * @token: BPF token object + * @cap: capabilities requested to be delegated by BPF token + * + * Do a check when the kernel decides whether provided BPF token should a= llow + * delegation of requested BPF-related capabilities. + * + * Return: Returns 0 on success, error on failure. + */ +int security_bpf_token_capable(const struct bpf_token *token, int cap) +{ - return call_int_hook(bpf_token_capable, 0, token, cap); ++ return call_int_hook(bpf_token_capable, token, cap); } =20 /** --Sig_//dCjoofoYCR0aUn90YdCSxX Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEENIC96giZ81tWdLgKAVBC80lX0GwFAmXX+eMACgkQAVBC80lX 0GyEuQf/fzW8pQqhRLV/LNjkPuQR42gLeAwWk3S5MB02eF0x5Rtjob5uUAFyZZRs j8d9rWhqoi5yQLzGEbcpIfZfUKjQOzzXRqCWj0q6r6HtsF9hDcLGrHoDoWBiyHjf /tASthmG100GLPol1xgbiWAIKV+tFIJOWZ6+j0WaUwYM2WsmeeCYtt3uuYfKD2GG RRJkPjrr7JnHfKrD57uosARQKHTal5JHdo0wiZsS/vX76YXCzqtvqubFBw0YalDf lQthV7SnrXux7wxglMjEQfKvJQyRntjsjRRRt2mfx6scfn2WKmFLG+HlkmXEcGrb lqF7Hfhr4oGHpXaAxACKYTMsZ4ojQg== =yQjI -----END PGP SIGNATURE----- --Sig_//dCjoofoYCR0aUn90YdCSxX--