| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <d0ade43454dee9c00689f03e8d9bd32a@paul-moore.com>
Date: Sun, 23 Mar 2025 15:39:46 -0400
From: Paul Moore <paul@...l-moore.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: selinux@...r.kernel.org, linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [GIT PULL] selinux/selinux-pr-20250323
Linus,
Here is the SELinux pull request for the Linux v6.15 merge window, the
highlights are below:
- Add additional SELinux access controls for kernel file reads/loads
The SELinux kernel file read/load access controls were never updated
beyond the initial kernel module support, this pull request adds
support for firmware, kexec, policies, and x.509 certificates.
- Add support for wildcards in network interface names
There are a number of userspace tools which auto-generate network
interface names using some pattern of <XXXX>-<NN> where <XXXX> is
a fixed string, e.g. "podman", and <NN> is a increasing counter.
Supporting wildcards in the SELinux policy for network interfaces
simplifies the policy associted with these interfaces.
- Fix a potential problem in the kernel read file SELinux code
SELinux should always check the file label in the
security_kernel_read_file() LSM hook, regardless of if the file is
being read in chunks. Unfortunately, the existing code only
considered the file label on the first chunk; this pull request
fixes this problem.
There is more detail in the individual commit, but thankfully the
existing code didn't expose a bug due to multi-stage reads only
taking place in one driver, and that driver loading a file type
that isn't targeted by the SELinux policy.
- Fix the subshell error handling in the example policy loader
Minor fix to SELinux example policy loader in scripts/selinux due
to an undesired interaction with subshells and errexit.
Please merge,
-Paul
--
The following changes since commit 2014c95afecee3e76ca4a56956a936e23283f05b:
Linux 6.14-rc1 (2025-02-02 15:39:26 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
tags/selinux-pr-20250323
for you to fetch changes up to a3d3043ef24ac750f05a164e48f3d0833ebf0252:
selinux: get netif_wildcard policycap from policy instead of cache
(2025-03-17 16:22:04 -0400)
----------------------------------------------------------------
selinux/stable-6.15 PR 20250323
----------------------------------------------------------------
"Kipp N. Davis" (1):
selinux: add permission checks for loading other kinds of kernel
files
Christian Göttsche (2):
selinux: support wildcard network interface names
selinux: get netif_wildcard policycap from policy instead of cache
Paul Moore (1):
selinux: always check the file label in selinux_kernel_read_file()
Tanya Agarwal (1):
selinux: fix spelling error
Tim Schumacher (1):
selinux: Chain up tool resolving errors in install_policy.sh
scripts/selinux/install_policy.sh | 15 ++---
security/selinux/avc.c | 2
security/selinux/hooks.c | 58 +++++++++++++++++----
security/selinux/include/classmap.h | 4 +
security/selinux/include/policycap.h | 1
security/selinux/include/policycap_names.h | 1
security/selinux/include/security.h | 8 ++
security/selinux/ss/services.c | 15 ++++-
8 files changed, 79 insertions(+), 25 deletions(-)
--
paul-moore.com
Powered by blists - more mailing lists