Commit b1dba247 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'selinux-pr-20200127' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux 

Pull SELinux update from Paul Moore:
 "This is one of the bigger SELinux pull requests in recent years with
  28 patches. Everything is passing our test suite and the highlights
  are below:

   - Mark CONFIG_SECURITY_SELINUX_DISABLE as deprecated. We're some time
     away from actually attempting to remove this in the kernel, but the
     only distro we know that still uses it (Fedora) is working on
     moving away from this so we want to at least let people know we are
     planning to remove it.

   - Reorder the SELinux hooks to help prevent bad things when SELinux
     is disabled at runtime. The proper fix is to remove the
     CONFIG_SECURITY_SELINUX_DISABLE functionality (see above) and just
     take care of it at boot time (e.g. "selinux=0").

   - Add SELinux controls for the kernel lockdown functionality,
     introducing a new SELinux class/permissions: "lockdown { integrity
     confidentiality }".

   - Add a SELinux control for move_mount(2) that reuses the "file {
     mounton }" permission.

   - Improvements to the SELinux security label data store lookup
     functions to speed up translations between our internal label
     representations and the visible string labels (both directions).

   - Revisit a previous fix related to SELinux inode auditing and
     permission caching and do it correctly this time.

   - Fix the SELinux access decision cache to cleanup properly on error.
     In some extreme cases this could limit the cache size and result in
     a decrease in performance.

   - Enable SELinux per-file labeling for binderfs.

   - The SELinux initialized and disabled flags were wrapped with
     accessors to ensure they are accessed correctly.

   - Mark several key SELinux structures with __randomize_layout.

   - Changes to the LSM build configuration to only build
     security/lsm_audit.c when needed.

   - Changes to the SELinux build configuration to only build the IB
     object cache when CONFIG_SECURITY_INFINIBAND is enabled.

   - Move a number of single-caller functions into their callers.

   - Documentation fixes (/selinux -> /sys/fs/selinux).

   - A handful of cleanup patches that aren't worth mentioning on their
     own, the individual descriptions have plenty of detail"

* tag 'selinux-pr-20200127' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: (28 commits)
  selinux: fix regression introduced by move_mount(2) syscall
  selinux: do not allocate ancillary buffer on first load
  selinux: remove redundant allocation and helper functions
  selinux: remove redundant selinux_nlmsg_perm
  selinux: fix wrong buffer types in policydb.c
  selinux: reorder hooks to make runtime disable less broken
  selinux: treat atomic flags more carefully
  selinux: make default_noexec read-only after init
  selinux: move ibpkeys code under CONFIG_SECURITY_INFINIBAND.
  selinux: remove redundant msg_msg_alloc_security
  Documentation,selinux: fix references to old selinuxfs mount point
  selinux: deprecate disabling SELinux and runtime
  selinux: allow per-file labelling for binderfs
  selinuxfs: use scnprintf to get real length for inode
  selinux: remove set but not used variable 'sidtab'
  selinux: ensure the policy has been loaded before reading the sidtab stats
  selinux: ensure we cleanup the internal AVC counters on error in avc_update()
  selinux: randomize layout of key structures
  selinux: clean up selinux_enabled/disabled/enforcing_boot
  selinux: remove unnecessary selinux cred request
  ...
parents 07e309a9 98aa0034

Documentation/ABI/obsolete/sysfs-selinux-disable

0 → 100644
+26 −0
Original line number Diff line number Diff line 
What:		/sys/fs/selinux/disable

Date:		April 2005 (predates git)

KernelVersion:	2.6.12-rc2 (predates git)

Contact:	selinux@vger.kernel.org

Description:



	The selinuxfs "disable" node allows SELinux to be disabled at runtime

	prior to a policy being loaded into the kernel.  If disabled via this

	mechanism, SELinux will remain disabled until the system is rebooted.



	The preferred method of disabling SELinux is via the "selinux=0" boot

	parameter, but the selinuxfs "disable" node was created to make it

	easier for systems with primitive bootloaders that did not allow for

	easy modification of the kernel command line.  Unfortunately, allowing

	for SELinux to be disabled at runtime makes it difficult to secure the

	kernel's LSM hooks using the "__ro_after_init" feature.



	Thankfully, the need for the SELinux runtime disable appears to be

	gone, the default Kconfig configuration disables this selinuxfs node,

	and only one of the major distributions, Fedora, supports disabling

	SELinux at runtime.  Fedora is in the process of removing the

	selinuxfs "disable" node and once that is complete we will start the

	slow process of removing this code from the kernel.



	More information on /sys/fs/selinux/disable can be found under the

	CONFIG_SECURITY_SELINUX_DISABLE Kconfig option.

Documentation/admin-guide/kernel-parameters.txt

+4 −5
Original line number Diff line number Diff line
@@ -511,7 +511,7 @@ 
			1 -- check protection requested by application.

			Default value is set via a kernel config option.

			Value can be changed at runtime via

				/selinux/checkreqprot.

				/sys/fs/selinux/checkreqprot.



	cio_ignore=	[S390]

			See Documentation/s390/common_io.rst for details.
@@ -1245,7 +1245,8 @@ 
			0 -- permissive (log only, no denials).

			1 -- enforcing (deny and log).

			Default value is 0.

			Value can be changed at runtime via /selinux/enforce.

			Value can be changed at runtime via

			/sys/fs/selinux/enforce.



	erst_disable	[ACPI]

			Disable Error Record Serialization Table (ERST)
@@ -4348,9 +4349,7 @@ 
			See security/selinux/Kconfig help text.

			0 -- disable.

			1 -- enable.

			Default value is set via kernel config option.

			If enabled at boot time, /selinux/disable can be used

			later to disable prior to initial policy load.

			Default value is 1.



	apparmor=	[APPARMOR] Disable or enable AppArmor at boot time

			Format: { "0" | "1" }

MAINTAINERS

+1 −0
Original line number Diff line number Diff line
@@ -14870,6 +14870,7 @@ F: include/uapi/linux/selinux_netlink.h 
F:	security/selinux/

F:	scripts/selinux/

F:	Documentation/admin-guide/LSM/SELinux.rst

F:	Documentation/ABI/obsolete/sysfs-selinux-disable















SENSABLE PHANTOM















M:	Jiri Slaby <jirislaby@gmail.com>

































include/linux/lsm_audit.h



+2
−0






























Original line number
Diff line number
Diff line








@@ -74,6 +74,7 @@ struct common_audit_data {













#define LSM_AUDIT_DATA_FILE	12















#define LSM_AUDIT_DATA_IBPKEY	13















#define LSM_AUDIT_DATA_IBENDPORT 14













#define LSM_AUDIT_DATA_LOCKDOWN 15















	union 	{















		struct path path;















		struct dentry *dentry;









@@ -93,6 +94,7 @@ struct common_audit_data {













		struct file *file;















		struct lsm_ibpkey_audit *ibpkey;















		struct lsm_ibendport_audit *ibendport;













		int reason;















	} u;















	/* this union contains LSM specific data */















	union {

































include/linux/security.h



+2
−0






























Original line number
Diff line number
Diff line








@@ -128,6 +128,8 @@ enum lockdown_reason {













	LOCKDOWN_CONFIDENTIALITY_MAX,















};





























extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1];





























/* These functions are in security/commoncap.c */















extern int cap_capable(const struct cred *cred, struct user_namespace *ns,















		       int cap, unsigned int opts);









































































CRA Git | Maintained and supported by SUSTech CRA and CCSE