[GIT PULL] LSM patches for v6.6
From: Paul Moore
Date: Tue Aug 29 2023 - 19:38:22 EST
Hi Linus,
Ten LSM patches for the Linux v6.6 merge window, and while most of
them are fairly minor, there is at least one merge conflict involving
security_sk_classify_flow() in security/security.c; it looks like a
netdev constification patch collided with a LSM documentation patch,
thankfully the solution is relatively simple but if for some odd
reason you need a respin let me know.
On to the highlights ...
- Add proper multi-LSM support for xattrs in the
security_inode_init_security() hook
Historically the LSM layer has only allowed a single LSM to add an
xattr to an inode, with IMA/EVM measuring that and adding its own as
well. As we work towards promoting IMA/EVM to a "proper LSM" instead
of the special case that it is now, we need to better support the case
of multiple LSMs each adding xattrs to an inode and after several
attempts we now appear to have something that is working well. It is
worth noting that in the process of making this change we uncovered a
problem with Smack's SMACK64TRANSMUTE xattr which is also fixed in
this pull request.
- Additional LSM hook constification
Two patches to constify parameters to security_capget() and
security_binder_transfer_file(). While I generally don't make a
special note of who submitted these patches, these were the work of an
Outreachy intern, Khadija Kamran, and that makes me happy; hopefully
it does the same for all of you reading this.
- LSM hook comment header fixes
One patch to add a missing hook comment header, one to fix a minor typo.
- Remove an old, unused credential function declaration
It wasn't clear to me who should pick this up, but it was trivial,
obviously correct, and arguably the LSM layer has a vested interest in
credentials so I merged it. Sadly I'm now noticing that despite my
subject line cleanup I didn't cleanup the "unsued" misspelling, sigh.
Please merge,
-Paul
--
The following changes since commit 06c2afb862f9da8dc5efa4b6076a0e48c3fbaaa5:
Linux 6.5-rc1 (2023-07-09 13:53:13 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git
tags/lsm-pr-20230829
for you to fetch changes up to 8e4672d6f902d5c4db1e87e8aa9f530149d85bc6:
lsm: constify the 'file' parameter in security_binder_transfer_file()
(2023-08-15 16:04:34 -0400)
----------------------------------------------------------------
lsm/stable-6.6 PR 20230829
----------------------------------------------------------------
Khadija Kamran (3):
lsm: add comment block for security_sk_classify_flow LSM hook
lsm: constify the 'target' parameter in security_capget()
lsm: constify the 'file' parameter in security_binder_transfer_file()
Pairman Guo (1):
lsm: fix typo in security_file_lock() comment header
Roberto Sassu (5):
security: Allow all LSMs to provide xattrs for inode_init_security hook
smack: Set the SMACK64TRANSMUTE xattr in smack_inode_init_security()
evm: Align evm_inode_init_security() definition with LSM infrastructure
evm: Support multiple LSMs providing an xattr
security: Fix ret values doc for security_inode_init_security()
YueHaibing (1):
cred: remove unsued extern declaration change_create_files_as()
include/linux/cred.h | 1 -
include/linux/evm.h | 14 +++---
include/linux/lsm_hook_defs.h | 10 ++---
include/linux/lsm_hooks.h | 20 +++++++++
include/linux/security.h | 11 ++---
kernel/capability.c | 2 +-
security/apparmor/lsm.c | 2 +-
security/commoncap.c | 2 +-
security/integrity/evm/evm.h | 4 +-
security/integrity/evm/evm_crypto.c | 11 ++++-
security/integrity/evm/evm_main.c | 39 +++++++++++++---
security/security.c | 90 +++++++++++++++++++++++----------
security/selinux/hooks.c | 27 +++++------
security/smack/smack.h | 2 +-
security/smack/smack_lsm.c | 68 ++++++++++++++++------------
15 files changed, 202 insertions(+), 101 deletions(-)
--
paul-moore.com