lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <da749e8ed1a18e2b14d9337a78749b15@paul-moore.com>
Date: Tue, 21 Jan 2025 18:40:10 -0500
From: Paul Moore <paul@...l-moore.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [GIT PULL] lsm/lsm-pr-20250121

Linus,

Fifteen LSM framework patches for the v6.14 merge window, a summary is
below:

- Improved handling of LSM "secctx" strings through lsm_context struct

  The LSM secctx string interface is from an older time when only one
  LSM was supported, migrate over to the lsm_context struct to better
  support the different LSMs we now have and make it easier to support
  new LSMs in the future.
  
  These changes explain the Rust, VFS, and networking changes in the
  diffstat.

- Only build lsm_audit.c if CONFIG_SECURITY and CONFIG_AUDIT are enabled

  Small tweak to be a bit smarter about when we build the LSM's common
  audit helpers.

- Check for absurdly large policies from userspace in SafeSetID

  SafeSetID policies rules are fairly small, basically just "UID:UID",
  it easy to impose a limit of KMALLOC_MAX_SIZE on policy writes which
  helps quiet a number of syzbot related issues.  While work is being
  done to address the syzbot issues through other mechanisms, this is
  a trivial and relatively safe fix that we can do now.

- Various minor improvements and cleanups

  A collection of improvements to the kernel selftests, constification
  of some function parameters, removing redundant assignments, and local
  variable renames to improve readability.

Paul

--
The following changes since commit 40384c840ea1944d7c5a392e8975ed088ecf0b37:

  Linux 6.13-rc1 (2024-12-01 14:28:56 -0800)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git
    tags/lsm-pr-20250121

for you to fetch changes up to 714d87c90a766e6917f7d69f618b864d350f09d3:

  lockdown: initialize local array before use to quiet static analysis
    (2025-01-05 12:48:43 -0500)

----------------------------------------------------------------
lsm/stable-6.14 PR 20250121
----------------------------------------------------------------

Alice Ryhl (1):
      rust: replace lsm context+len with lsm_context

Amit Vadhavana (1):
      selftests: refactor the lsm `flags_overset_lsm_set_self_attr` test

Casey Schaufler (7):
      lsm: ensure the correct LSM context releaser
      lsm: replace context+len with lsm_context
      lsm: use lsm_context in security_inode_getsecctx
      lsm: lsm_context in security_dentry_init_security
      lsm: secctx provider check on release
      binder: initialize lsm_context structure
      net: corrections for security_secid_to_secctx returns

Christian Göttsche (2):
      lsm: constify function parameters
      lsm: rename variable to avoid shadowing

Colin Ian King (1):
      security: remove redundant assignment to return variable

Leo Stone (1):
      safesetid: check size of policy writes

Mickaël Salaün (1):
      lsm: Only build lsm_audit.c if CONFIG_SECURITY and CONFIG_AUDIT
         are set

Tanya Agarwal (1):
      lockdown: initialize local array before use to quiet static
         analysis

 drivers/android/binder.c                             |   25 +---
 fs/ceph/super.h                                      |    3 
 fs/ceph/xattr.c                                      |   12 -
 fs/fuse/dir.c                                        |   35 ++---
 fs/nfs/nfs4proc.c                                    |   22 ++-
 fs/nfsd/nfs4xdr.c                                    |   22 +--
 include/linux/lsm_audit.h                            |   14 ++
 include/linux/lsm_hook_defs.h                        |   13 --
 include/linux/security.h                             |   37 +++---
 include/net/scm.h                                    |   12 -
 kernel/audit.c                                       |   33 ++---
 kernel/auditsc.c                                     |   27 +---
 net/ipv4/ip_sockglue.c                               |   12 -
 net/netfilter/nf_conntrack_netlink.c                 |   20 +--
 net/netfilter/nf_conntrack_standalone.c              |   11 -
 net/netfilter/nfnetlink_queue.c                      |   26 ++--
 net/netlabel/netlabel_unlabeled.c                    |   44 ++-----
 net/netlabel/netlabel_user.c                         |   10 -
 rust/helpers/security.c                              |    8 -
 rust/kernel/security.rs                              |   38 ++----
 security/Kconfig                                     |    5 
 security/Makefile                                    |    2 
 security/apparmor/include/secid.h                    |    7 -
 security/apparmor/secid.c                            |   34 +++--
 security/lockdown/lockdown.c                         |    2 
 security/lsm_audit.c                                 |    8 -
 security/safesetid/securityfs.c                      |    3 
 security/security.c                                  |   67 ++++-------
 security/selinux/hooks.c                             |   49 +++++---
 security/smack/smack_lsm.c                           |   52 ++++----
 tools/testing/selftests/lsm/lsm_set_self_attr_test.c |    7 -
 31 files changed, 351 insertions(+), 309 deletions(-)

--
paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ