Commit 49e917de authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'selinux-pr-20200803' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux 

Pull selinux updates from Paul Moore:
 "Beyond the usual smattering of bug fixes, we've got three small
  improvements worth highlighting:

   - improved SELinux policy symbol table performance due to a reworking
     of the insert and search functions

   - allow reading of SELinux labels before the policy is loaded,
     allowing for some more "exotic" initramfs approaches

   - improved checking an error reporting about process
     class/permissions during SELinux policy load"

* tag 'selinux-pr-20200803' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: complete the inlining of hashtab functions
  selinux: prepare for inlining of hashtab functions
  selinux: specialize symtab insert and search functions
  selinux: Fix spelling mistakes in the comments
  selinux: fixed a checkpatch warning with the sizeof macro
  selinux: log error messages on required process class / permissions
  scripts/selinux/mdp: fix initial SID handling
  selinux: allow reading labels before policy is loaded
parents 9ecc6ea4 54b27f92

scripts/selinux/mdp/mdp.c

+18 −5
Original line number Diff line number Diff line
@@ -67,8 +67,14 @@ int main(int argc, char *argv[]) 


	initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *);

	/* print out the sids */

	for (i = 1; i < initial_sid_to_string_len; i++)

		fprintf(fout, "sid %s\n", initial_sid_to_string[i]);

	for (i = 1; i < initial_sid_to_string_len; i++) {

		const char *name = initial_sid_to_string[i];



		if (name)

			fprintf(fout, "sid %s\n", name);

		else

			fprintf(fout, "sid unused%d\n", i);

	}

	fprintf(fout, "\n");



	/* print out the class permissions */
@@ -126,9 +132,16 @@ int main(int argc, char *argv[]) 
#define OBJUSERROLETYPE "user_u:object_r:base_t"



	/* default sids */

	for (i = 1; i < initial_sid_to_string_len; i++)

		fprintf(fout, "sid %s " SUBJUSERROLETYPE "%s\n",

			initial_sid_to_string[i], mls ? ":" SYSTEMLOW : "");

	for (i = 1; i < initial_sid_to_string_len; i++) {

		const char *name = initial_sid_to_string[i];



		if (name)

			fprintf(fout, "sid %s ", name);

		else

			fprintf(fout, "sid unused%d\n", i);

		fprintf(fout, SUBJUSERROLETYPE "%s\n",

			mls ? ":" SYSTEMLOW : "");

	}

	fprintf(fout, "\n");



#define FS_USE(behavior, fstype)			    \

security/selinux/hooks.c

+6 −1
Original line number Diff line number Diff line
@@ -3332,7 +3332,12 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void 
	char *context = NULL;

	struct inode_security_struct *isec;



	if (strcmp(name, XATTR_SELINUX_SUFFIX))

	/*

	 * If we're not initialized yet, then we can't validate contexts, so

	 * just let vfs_getxattr fall back to using the on-disk xattr.

	 */

	if (!selinux_initialized(&selinux_state) ||

	    strcmp(name, XATTR_SELINUX_SUFFIX))

		return -EOPNOTSUPP;



	/*

security/selinux/netif.c

+1 −1
Original line number Diff line number Diff line
@@ -124,7 +124,7 @@ static void sel_netif_destroy(struct sel_netif *netif) 
 * @sid: interface SID

 *

 * Description:

 * This function determines the SID of a network interface by quering the

 * This function determines the SID of a network interface by querying the

 * security policy.  The result is added to the network interface table to

 * speedup future queries.  Returns zero on success, negative values on

 * failure.

security/selinux/netnode.c

+1 −1
Original line number Diff line number Diff line
@@ -181,7 +181,7 @@ static void sel_netnode_insert(struct sel_netnode *node) 
 * @sid: node SID

 *

 * Description:

 * This function determines the SID of a network address by quering the

 * This function determines the SID of a network address by querying the

 * security policy.  The result is added to the network address table to

 * speedup future queries.  Returns zero on success, negative values on

 * failure.

security/selinux/netport.c

+1 −1
Original line number Diff line number Diff line
@@ -130,7 +130,7 @@ static void sel_netport_insert(struct sel_netport *port) 
 * @sid: port SID

 *

 * Description:

 * This function determines the SID of a network port by quering the security

 * This function determines the SID of a network port by querying the security

 * policy.  The result is added to the network port table to speedup future

 * queries.  Returns zero on success, negative values on failure.

 *

CRA Git | Maintained and supported by SUSTech CRA and CCSE