[GIT PULL] SELinux patches for v5.2

From: Paul Moore
Date: Tue May 07 2019 - 13:24:10 EST

Hi Linus,

We've got a few SELinux patches for the v5.2 merge window, the
highlights are below:

- Add LSM hooks, and the SELinux implementation, for proper labeling
of kernfs. While we are only including the SELinux implementation
here, the rest of the LSM folks have given the hooks a thumbs-up.

- Update the SELinux mdp (Make Dummy Policy) script to actually work
on a modern system.

- Disallow userspace to change the LSM credentials via /proc/self/attr
when the task's credentials are already overridden. The change was
made in procfs because all the LSM folks agreed this was the Right
Thing To Do and duplicating it across each LSM was going to be

As a FYI, you will likely run into a minor merge problem with
scripts/selinux/mdp.c due to patches sent up during the v5.1-rcX
cycle, but it is pretty trivial to resolve (just make sure the
kconfig.h include is included). If you have any questions about the
merge, you know where to find us.

Please pull this for v5.2,

The following changes since commit 9e98c678c2d6ae3a17cb2de55d17f69dddaa231b:

Linux 5.1-rc1 (2019-03-17 14:22:26 -0700)

are available in the Git repository at:


for you to fetch changes up to 35a196bef449b5824033865b963ed9a43fb8c730:

proc: prevent changes to overridden credentials (2019-04-29 09:51:21 -0400)

selinux/stable-5.2 PR 20190507

Arnd Bergmann (1):
selinux: avoid uninitialized variable warning

Ondrej Mosnacek (10):
kernfs: clean up struct kernfs_iattrs
kernfs: do not alloc iattrs in kernfs_xattr_get
selinux: try security xattr after genfs for kernfs filesystems
kernfs: use simple_xattrs for security attributes
LSM: add new hook for kernfs node initialization
selinux: implement the kernfs_init_security hook
kernfs: initialize security of newly created nodes
LSM: lsm_hooks.h - fix missing colon in docstring
selinux: remove useless assignments
kernfs: fix xattr name handling in LSM helpers

Paul Moore (2):
MAINTAINERS: update SELinux file patterns
proc: prevent changes to overridden credentials

Paulo Alcantara (1):
selinux: use kernel linux/socket.h for genheaders and mdp

Stephen Smalley (2):
scripts/selinux: modernize mdp
scripts/selinux: fix build

Tetsuo Handa (1):
selinux: Check address length before reading address family

YueHaibing (1):
selinux: Make selinux_kernfs_init_security static

fs/kernfs/dir.c | 24 ++--
fs/kernfs/inode.c | 162 +++++++++--------------
fs/kernfs/kernfs-internal.h | 8 +-
fs/kernfs/symlink.c | 4 +-
fs/proc/base.c | 5 +
include/linux/kernfs.h | 13 ++
include/linux/lsm_hooks.h | 13 ++
include/linux/security.h | 9 ++
scripts/selinux/genheaders/genheaders.c | 1 -
scripts/selinux/install_policy.sh | 92 +++++++------
scripts/selinux/mdp/Makefile | 2 +-
scripts/selinux/mdp/mdp.c | 166 ++++++++++++++++++++----
security/security.c | 6 +
security/selinux/hooks.c | 229 +++++++++++++++++++++----------
security/selinux/include/classmap.h | 1 +
security/selinux/include/security.h | 1 +
security/selinux/netlabel.c | 14 +-
security/selinux/ss/services.c | 7 +-
19 files changed, 488 insertions(+), 271 deletions(-)

paul moore