mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-27 22:51:31 +00:00
b1dba24731
-----BEGIN PGP SIGNATURE-----
iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAl4vRu8UHHBhdWxAcGF1
bC1tb29yZS5jb20ACgkQ6iDy2pc3iXPE1BAA0yg0npafRIrjIMU5IkpDh8TvywWF
DDcarqBXNSIXJtl3EWr7LynvKKqBs4jN7R0ZRMYc5e/6LrSUBvds4GTPm7dOOW4C
cIlAjXTlek2LvHf1/6aNE2SdlkNBYOYo//ifVH+zAn6VOQHGZXBd31oxwPLNW5mP
vVS7OIGhWPcviUebxD7mNmgS/ODoZS/ZL434RK07FhMnN/jEdfuNnu87uz7WAK1p
MWmqzB2tkwrj5uN5wRU6+9R82xYGbo6Xq5uEsFidMrlrn+cguuf+xPrrejT1qVnU
8r72MKKRjfObMRj1fQt3VC0feFt2WyC0qAk3XwKljmllGXZIzV1IPmrui9pLD5Ti
IhLgIEBtMpJgrYhFwl3yMe1EUwdQ/WAlbf8GnoIWyzm0oOo0kaN5BfrvlYtYYmN3
i2xpDOcQ0J4I3tA7zXMpD5tWzDzePxxadZ367qtwRp/AhbL4bnqbvP7vaPtZczz2
pTEGFYIbeqfLCwy2PWHZOVYj83bidmC0lQ3PTFsC26Upui750MdFa7toQV70Hiqo
EdpOzxUHbn6pPuGy7Rey26ybOiZPkL1q1Czoa6jbNyutv8ts2eZNyuCL25QKKzvE
42AvSzA0lt8taDbSbNu+FiexR619oEt15hSrHrRslunecumYfNjJyk85ZCloh+XL
dnD1bPytgl1G4i8=
=2jFm
-----END PGP SIGNATURE-----
Merge tag 'selinux-pr-20200127' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
Pull SELinux update from Paul Moore:
"This is one of the bigger SELinux pull requests in recent years with
28 patches. Everything is passing our test suite and the highlights
are below:
- Mark CONFIG_SECURITY_SELINUX_DISABLE as deprecated. We're some time
away from actually attempting to remove this in the kernel, but the
only distro we know that still uses it (Fedora) is working on
moving away from this so we want to at least let people know we are
planning to remove it.
- Reorder the SELinux hooks to help prevent bad things when SELinux
is disabled at runtime. The proper fix is to remove the
CONFIG_SECURITY_SELINUX_DISABLE functionality (see above) and just
take care of it at boot time (e.g. "selinux=0").
- Add SELinux controls for the kernel lockdown functionality,
introducing a new SELinux class/permissions: "lockdown { integrity
confidentiality }".
- Add a SELinux control for move_mount(2) that reuses the "file {
mounton }" permission.
- Improvements to the SELinux security label data store lookup
functions to speed up translations between our internal label
representations and the visible string labels (both directions).
- Revisit a previous fix related to SELinux inode auditing and
permission caching and do it correctly this time.
- Fix the SELinux access decision cache to cleanup properly on error.
In some extreme cases this could limit the cache size and result in
a decrease in performance.
- Enable SELinux per-file labeling for binderfs.
- The SELinux initialized and disabled flags were wrapped with
accessors to ensure they are accessed correctly.
- Mark several key SELinux structures with __randomize_layout.
- Changes to the LSM build configuration to only build
security/lsm_audit.c when needed.
- Changes to the SELinux build configuration to only build the IB
object cache when CONFIG_SECURITY_INFINIBAND is enabled.
- Move a number of single-caller functions into their callers.
- Documentation fixes (/selinux -> /sys/fs/selinux).
- A handful of cleanup patches that aren't worth mentioning on their
own, the individual descriptions have plenty of detail"
* tag 'selinux-pr-20200127' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: (28 commits)
selinux: fix regression introduced by move_mount(2) syscall
selinux: do not allocate ancillary buffer on first load
selinux: remove redundant allocation and helper functions
selinux: remove redundant selinux_nlmsg_perm
selinux: fix wrong buffer types in policydb.c
selinux: reorder hooks to make runtime disable less broken
selinux: treat atomic flags more carefully
selinux: make default_noexec read-only after init
selinux: move ibpkeys code under CONFIG_SECURITY_INFINIBAND.
selinux: remove redundant msg_msg_alloc_security
Documentation,selinux: fix references to old selinuxfs mount point
selinux: deprecate disabling SELinux and runtime
selinux: allow per-file labelling for binderfs
selinuxfs: use scnprintf to get real length for inode
selinux: remove set but not used variable 'sidtab'
selinux: ensure the policy has been loaded before reading the sidtab stats
selinux: ensure we cleanup the internal AVC counters on error in avc_update()
selinux: randomize layout of key structures
selinux: clean up selinux_enabled/disabled/enforcing_boot
selinux: remove unnecessary selinux cred request
...
|
||
|---|---|---|
| .. | ||
| apparmor | ||
| integrity | ||
| keys | ||
| loadpin | ||
| lockdown | ||
| safesetid | ||
| selinux | ||
| smack | ||
| tomoyo | ||
| yama | ||
| commoncap.c | ||
| device_cgroup.c | ||
| inode.c | ||
| Kconfig | ||
| Kconfig.hardening | ||
| lsm_audit.c | ||
| Makefile | ||
| min_addr.c | ||
| security.c | ||