[GIT PULL] SELinux patches for v5.7

From: Paul Moore
Date: Mon Mar 30 2020 - 20:38:28 EST


Hi Linus,

We've got twenty SELinux patches for the v5.7 merge window, the
highlights are below. Beyond the highlights there a couple of things
I want to call out in this pull request: a merge conflict, and a
maintainer screw-up.

The merge conflict is in security/selinux/hooks.c and is against a
binder fs name fix we sent during the v5.6-rcX cycle; the fixup is
trivial but if you need me to fix it, let me know. The maintainer
screw-up deals with the second patch from the top of the pull request,
the NFS fix. The screw-up isn't the fact that this is a NFS patch, we
talked to the NFS guys and they are okay with it. The issue is that
the commit date is today - during the merge window - which doesn't
reflect the testing the patch received. The reality is that I merged
this patch back on March 12th, and it has been part of our testing
ever since, but when putting this pull request together I noticed that
I had dropped the subject line from the patch when I was merging it.
Not wanting a malformed commit, I popped the top two patches from the
stack and restored the missing subject line; this had the unfortunate
side effect of making it look like the two top patches were just
merged today - my apologies.

Regardless, here are the highlights:

- Deprecate setting /sys/fs/selinux/checkreqprot to 1. This flag was
originally created to deal with legacy userspace and the
READ_IMPLIES_EXEC personality flag. We changed the default from 1 to
0 back in Linux v4.4 and now we are taking the next step of
deprecating it, at some point in the future we will take the final
step of rejecting 1.
- Allow kernfs symlinks to inherit the SELinux label of the parent
directory. In order to preserve backwards compatibility this is
protected by the genfs_seclabel_symlinks SELinux policy capability.
- Optimize how we store filename transitions in the kernel, resulting
in some significant improvements to policy load times.
- Do a better job calculating our internal hash table sizes which
resulted in additional policy load improvements and likely general
SELinux performance improvements as well.
- Remove the unused initial SIDs (labels) and improve how we handle
initial SIDs.
- Enable per-file labeling for the bpf filesystem.
- Ensure that we properly label NFS v4.2 filesystems to avoid a
temporary unlabeled condition.
- Add some missing XFS quota command types to the SELinux quota access controls.
- Fix a problem where we were not updating the seq_file position index
correctly in selinuxfs.
- We consolidate some duplicated code into helper functions.
- A number of list to array conversions.
- Update Stephen Smalley's email address in MAINTAINERS.

Thanks,
-Paul
--
The following changes since commit bb6d3fb354c5ee8d6bde2d576eb7220ea09862b9:

Linux 5.6-rc1 (2020-02-09 16:08:48 -0800)

are available in the Git repository at:

git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
tags/selinux-pr-20200330

for you to fetch changes up to c753924b628551564b6eea3c9896e4a95aa25ed9:

selinux: clean up indentation issue with assignment statement
(2020-03-30 19:57:07 -0400)

----------------------------------------------------------------
selinux/stable-5.7 PR 20200330

----------------------------------------------------------------
Christian GÃttsche (1):
selinux: allow kernfs symlinks to inherit parent directory context

Colin Ian King (1):
selinux: clean up indentation issue with assignment statement

Connor O'Brien (1):
security: selinux: allow per-file labeling for bpffs

Ondrej Mosnacek (10):
selinux: move status variables out of selinux_ss
selinux: simplify evaluate_cond_node()
selinux: convert cond_list to array
selinux: convert cond_av_list to array
selinux: convert cond_expr to array
selinux: generalize evaluate_cond_node()
selinux: factor out loop body from filename_trans_read()
selinux: optimize storage of filename transitions
selinux: reduce the use of hard-coded hash sizes
selinux: clean up error path in policydb_init()

Paul Moore (1):
selinux: avtab_init() and cond_policydb_init() return void

Richard Haines (1):
selinux: Add xfs quota command types

Scott Mayhew (1):
NFS: Ensure security label is set for root inode

Stephen Smalley (3):
Documentation,selinux: deprecate setting checkreqprot to 1
selinux: remove unused initial SIDs and improve handling
MAINTAINERS: Update my email address

Vasily Averin (1):
selinux: sel_avc_get_stat_idx should increase position index

.../ABI/obsolete/sysfs-selinux-checkreqprot | 23 ++
Documentation/admin-guide/kernel-parameters.txt | 1 +
MAINTAINERS | 3 +-
fs/nfs/getroot.c | 39 ++-
fs/nfs/nfs4proc.c | 12 +-
fs/nfs/super.c | 25 --
include/linux/nfs_xdr.h | 1 +
scripts/selinux/genheaders/genheaders.c | 11 +-
security/selinux/Kconfig | 3 +
security/selinux/Makefile | 4 +-
security/selinux/hooks.c | 18 +-
security/selinux/include/conditional.h | 8 +-
security/selinux/include/initial_sid_to_string.h | 57 ++--
security/selinux/include/security.h | 12 +
security/selinux/selinuxfs.c | 19 +-
security/selinux/ss/avtab.c | 3 +-
security/selinux/ss/avtab.h | 2 +-
security/selinux/ss/conditional.c | 259 +++++-------
security/selinux/ss/conditional.h | 29 +-
security/selinux/ss/hashtab.c | 28 +-
security/selinux/ss/hashtab.h | 2 +-
security/selinux/ss/policydb.c | 326 ++++++++---------
security/selinux/ss/policydb.h | 13 +-
security/selinux/ss/services.c | 79 +++--
security/selinux/ss/services.h | 2 -
security/selinux/{ss => }/status.c | 32 +-
26 files changed, 521 insertions(+), 490 deletions(-)
create mode 100644 Documentation/ABI/obsolete/sysfs-selinux-checkreqprot
rename security/selinux/{ss => }/status.c (81%)

--
paul moore
www.paul-moore.com