| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c19db64a8086ec30050d9f5012204a6b@paul-moore.com>
Date: Tue, 27 May 2025 18:57:40 -0400
From: Paul Moore <paul@...l-moore.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: selinux@...r.kernel.org, linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [GIT PULL] selinux/selinux-pr-20250527
Linus,
Nine SELinux patches for the Linux v6.16 merge window:
- Reduce the SELinux impact on path walks.
Add a small directory access cache to the per-task SELinux state.
This cache allows SELinux to cache the most recently used directory
access decisions in order to avoid repeatedly querying the AVC
on path walks where the majority of the directories have similar
security contexts/labels. My performance measurements are crude,
but prior to this patch the time spent in SELinux code on a
'make allmodconfig' run was 103% that of __d_lookup_rcu(), and with
this patch the time spent in SELinux code dropped to 63% of
__d_lookup_rcu(), a ~40% improvement.
Additional improvments can be expected in the future, but those will
require additional SELinux policy/toolchain support.
- Add support for wildcards in genfscon policy statements.
This patch allows for wildcards in the genfscon patch matching logic
as opposed to the prefix matching that was used prior to this change.
Adding wilcard support allows for more expressive and efficient path
matching in the policy which is especially helpful for sysfs, and has
resulted in a ~15% boot time reduction in Android.
SELinux policies can opt into wilcard matching by using the
"genfs_seclabel_wildcard" policy capability.
- Unify the error/OOM handling of the SELinux network caches.
A failure to allocate memory for the SELinux network caches isn't
fatal as the object label can still be safely returned to the caller,
it simply means that we cannot add the new data to the cache, at least
temporarily. This patch corrects this behavior for the InfiniBand
cache and does some minor cleanup.
- Minor improvements around constification, 'likely' annotations, and
removal of bogus comments.
Paul
--
The following changes since commit 0af2f6be1b4281385b618cb86ad946eded089ac8:
Linux 6.15-rc1 (2025-04-06 13:11:33 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
tags/selinux-pr-20250527
for you to fetch changes up to 05f1a939225ec895a97a6b2f1cf64e329b6474f5:
selinux: fix the kdoc header for task_avdcache_update
(2025-04-12 11:37:06 -0400)
----------------------------------------------------------------
selinux-pr-20250527
----------------------------------------------------------------
Christian Göttsche (5):
selinux: constify network address pointer
selinux: contify network namespace pointer
selinux: add likely hints for fast paths
selinux: unify OOM handling in network hashtables
selinux: drop copy-paste comment
Paul Moore (3):
selinux: reduce path walk overhead
selinux: remove a duplicated include
selinux: fix the kdoc header for task_avdcache_update
Takaya Saeki (1):
selinux: support wildcard match in genfscon
security/selinux/hooks.c | 225 +++++++++++++++------
security/selinux/ibpkey.c | 13 -
security/selinux/include/netnode.h | 2
security/selinux/include/objsec.h | 16 +
security/selinux/include/policycap.h | 1
security/selinux/include/policycap_names.h | 1
security/selinux/include/security.h | 2
security/selinux/netif.c | 6
security/selinux/netnode.c | 15 -
security/selinux/netport.c | 14 -
security/selinux/ss/services.c | 22 +-
11 files changed, 232 insertions(+), 85 deletions(-)
--
paul-moore.com
Powered by blists - more mailing lists