[GIT PULL] SELinux patches for v5.10

From: Paul Moore
Date: Mon Oct 12 2020 - 22:42:03 EST


Hi Linus,

A decent number of SELinux patches for v5.10, twenty two in total.
The highlights are listed below, but all of the patches pass our test
suite and merge cleanly against your tree. Please merge for v5.10.

- A number of changes to how the SELinux policy is loaded and managed
inside the kernel with the goal of improving the atomicity of a
SELinux policy load operation. These changes account for the bulk of
the diffstat as well as the patch count. A special thanks to everyone
who contributed patches and fixes for this work.

- Convert the SELinux policy read-write lock to RCU.

- A tracepoint was added for audited SELinux access control events;
this should help provide a more unified backtrace across kernel and
userspace.

- Allow the removal of security.selinux xattrs when a SELinux policy
is not loaded.

- Enable policy capabilities in SELinux policies created with the
scripts/selinux/mdp tool.

- Provide some "no sooner than" dates for the SELinux checkreqprot
sysfs deprecation.

Thanks,
-Paul

--
The following changes since commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5:

Linux 5.9-rc1 (2020-08-16 13:04:57 -0700)

are available in the Git repository at:

git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
tags/selinux-pr-20201012

for you to fetch changes up to 0d50f059c4cdc9e436f6f4db8779ac0795bfdadf:

selinux: provide a "no sooner than" date for the checkreqprot removal
(2020-09-29 16:50:57 -0400)

----------------------------------------------------------------
selinux/stable-5.10 PR 20201012

----------------------------------------------------------------
Colin Ian King (1):
selinux: fix allocation failure check on newpolicy->sidtab

Dan Carpenter (1):
selinux: fix error handling bugs in security_load_policy()

Daniel Burgener (4):
selinux: Create function for selinuxfs directory cleanup
selinux: Refactor selinuxfs directory populating functions
selinux: Standardize string literal usage for selinuxfs directory names
selinux: Create new booleans and class dirs out of tree

Lakshmi Ramasubramanian (1):
selinux: Add helper functions to get and set checkreqprot

Ondrej Mosnacek (1):
selinux: simplify away security_policydb_len()

Paul Moore (1):
selinux: provide a "no sooner than" date for the checkreqprot removal

Peter Enderborg (1):
selinux: add basic filtering for audit trace events

Randy Dunlap (1):
selinux: delete repeated words in comments

Stephen Smalley (9):
scripts/selinux,selinux: update mdp to enable policy capabilities
selinux: encapsulate policy state, refactor policy load
selinux: move policy commit after updating selinuxfs
selinux: refactor changing booleans
selinux: avoid dereferencing the policy prior to initialization
selinux: permit removing security.selinux xattr before policy load
selinux: convert policy read-write lock to RCU
selinux: move policy mutex to selinux_state, use in lockdep checks
selinux: access policycaps with READ_ONCE/WRITE_ONCE

Thiébaud Weksteen (1):
selinux: add tracepoint on audited events

kernel test robot (1):
selinux: fix memdup.cocci warnings

.../ABI/obsolete/sysfs-selinux-checkreqprot | 2 +-
MAINTAINERS | 1 +
include/trace/events/avc.h | 53 ++
scripts/selinux/mdp/mdp.c | 7 +
security/selinux/avc.c | 29 +-
security/selinux/hooks.c | 17 +-
security/selinux/include/conditional.h | 2 +-
security/selinux/include/policycap.h | 20 +
security/selinux/include/policycap_names.h | 18 +
security/selinux/include/security.h | 63 +-
security/selinux/selinuxfs.c | 259 ++++--
security/selinux/ss/avtab.c | 49 +-
security/selinux/ss/avtab.h | 1 +
security/selinux/ss/conditional.c | 155 ++++
security/selinux/ss/conditional.h | 2 +
security/selinux/ss/hashtab.c | 53 ++
security/selinux/ss/hashtab.h | 6 +
security/selinux/ss/services.c | 875 ++++++++++-------
security/selinux/ss/services.h | 5 +-
security/selinux/ss/sidtab.c | 10 +
security/selinux/ss/sidtab.h | 2 +
21 files changed, 1130 insertions(+), 499 deletions(-)
create mode 100644 include/trace/events/avc.h
create mode 100644 security/selinux/include/policycap.h
create mode 100644 security/selinux/include/policycap_names.h

--
paul moore
www.paul-moore.com