| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c48b683b30a44eb12a0ff032876386fd@paul-moore.com>
Date: Mon, 01 Dec 2025 21:00:42 -0500
From: Paul Moore <paul@...l-moore.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: selinux@...r.kernel.org, linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [GIT PULL] selinux/selinux-pr-20251201
Linus,
A handful of SELinux changes for v6.19, the summary is below, but I
wanted to call out a merge conflict caused by the recent task/cred
changes sent up during the v6.18-rcX cycle. The conflict does require
some manual intervention to resolve, but it is limited to changing
the "SECCLASS_FILE" parameter in two avc_has_perm() calls to
"isec->sclass" in selinux_bprm_creds_for_exec(). The
selinux-pr-20251201.merge tag contains an example fixup of the merge
conflict.
Here is the pull request summary:
- Improve the granularity of SELinux labeling for memfd files
Currently when creating a memfd file, SELinux treats it the same as
any other tmpfs, or hugetlbfs, file. While simple, the drawback is
that it is not possible to differentiate between memfd and tmpfs
files. This pull request adds a call to the
security_inode_init_security_anon() LSM hook and wires up SELinux to
provide a set of memfd specific access controls, including the ability
to control the execution of memfds.
As usual, the commit message has more information.
- Improve the SELinux AVC lookup performance
Adopt the MurmurHash3 for the SELinux AVC hash function instead of
the custom hash function currently used. MurmurHash3 is already
used for the SELinux access vector table so the impact to the code
is minimal, and performance tests have shown improvements in both
hash distribution and latency.
See the commit message for the performance measurments.
- Introduce a Kconfig option for the SELinux AVC bucket/slot size
While we have the ability to grow the number of AVC hash buckets
today, the size of the buckets (slot size) is fixed at 512. This
pull request makes that slot size configurable at build time through
a new Kconfig knob, CONFIG_SECURITY_SELINUX_AVC_HASH_BITS.
Paul
--
The following changes since commit 211ddde0823f1442e4ad052a2f30f050145ccada:
Linux 6.18-rc2 (2025-10-19 15:19:16 -1000)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
tags/selinux-pr-20251201
for you to fetch changes up to 20d387d7ceab95aade436c363927b3ab81b0be36:
selinux: improve bucket distribution uniformity of avc_hash()
(2025-10-23 18:24:30 -0400)
----------------------------------------------------------------
selinux/stable-6.19 PR 20251201
----------------------------------------------------------------
Hongru Zhang (3):
selinux: Introduce a new config to make avc cache slot size
adjustable
selinux: Move avtab_hash() to a shared location for future reuse
selinux: improve bucket distribution uniformity of avc_hash()
ThiƩbaud Weksteen (1):
memfd,selinux: call security_inode_init_security_anon()
include/linux/memfd.h | 2
mm/memfd.c | 14 +++++-
security/selinux/Kconfig | 11 ++++
security/selinux/avc.c | 9 ++--
security/selinux/hooks.c | 26 +++++++++--
security/selinux/include/classmap.h | 2
security/selinux/include/hash.h | 47 +++++++++++++++++++++
security/selinux/include/policycap.h | 1
security/selinux/include/policycap_names.h | 1
security/selinux/include/security.h | 5 ++
security/selinux/ss/avtab.c | 39 +----------------
11 files changed, 110 insertions(+), 47 deletions(-)
--
paul-moore.com
Powered by blists - more mailing lists