Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.19.11 2026-01-29T18:56:53+00:00 2026-01-29T18:56:53+00:00 Paul Moore paul@paul-moore.com 2026-01-29T18:31:56+00:00 urn:sha1:bdde21d3e77da55121885fd2ef42bc6a15ac2f0c While reworking the LSM initialization code the /proc/sys/vm/mmap_min_addr handler was inadvertently caught up in the change and the procfs entry wasn't setup when CONFIG_SECURITY was not selected at kernel build time. This patch restores the previous behavior and ensures that the procfs entry is setup regardless of the CONFIG_SECURITY state. Future work will improve upon this, likely by moving the procfs handler into the mm subsystem, but this patch should resolve the immediate regression. Fixes: 4ab5efcc2829 ("lsm: consolidate all of the LSM framework initcalls") Reported-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Tested-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Reviewed-by: Kees Cook <kees@kernel.org> Signed-off-by: Paul Moore <paul@paul-moore.com> 2025-11-19T15:32:06+00:00 Paul Moore paul@paul-moore.com 2025-11-19T00:18:10+00:00 urn:sha1:9a948eefad594c42717f29824dd40d6dc0b7aa13 We need to directly allocate the cred's LSM state for the initial task when we initialize the LSM framework. Unfortunately, this results in a RCU related type mismatch, use the unrcu_pointer() macro to handle this a bit more elegantly. The explicit type casting still remains as we need to work around the constification of current->cred in this particular case. Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2025-10-22T23:24:29+00:00 Paul Moore paul@paul-moore.com 2025-02-21T16:53:29+00:00 urn:sha1:dfa024bc3f67a97e1a975dd66b83af8b3845eb19 Add a new LSM notifier event, LSM_STARTED_ALL, which is fired once at boot when all of the LSMs have been started. Reviewed-by: Kees Cook <kees@kernel.org> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: John Johansen <john.johhansen@canonical.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2025-10-22T23:24:28+00:00 Paul Moore paul@paul-moore.com 2025-02-18T22:25:20+00:00 urn:sha1:4ab5efcc2829a38a3adcfdd9cd0c0e0eb6fb6939 The LSM framework itself registers a small number of initcalls, this patch converts these initcalls into the new initcall mechanism. Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: John Johansen <john.johhansen@canonical.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2025-10-22T23:24:24+00:00 Paul Moore paul@paul-moore.com 2025-02-11T17:18:35+00:00 urn:sha1:cdc028812f727907d1575cf454a5f01ddffa7750 Currently the individual LSMs register their own initcalls, and while this should be harmless, it can be wasteful in the case where a LSM is disabled at boot as the initcall will still be executed. This patch introduces support for managing the initcalls in the LSM framework, and future patches will convert the existing LSMs over to this new mechanism. Only initcall types which are used by the current in-tree LSMs are supported, additional initcall types can easily be added in the future if needed. Reviewed-by: Kees Cook <kees@kernel.org> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: John Johansen <john.johhansen@canonical.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2025-10-22T23:24:24+00:00 Paul Moore paul@paul-moore.com 2025-07-21T20:36:03+00:00 urn:sha1:3423c6397ce21356c3c2fac0b2727d428d96cfa4 Move the lsm_order_parse() function near the other lsm_order_*() functions to improve readability. No code changes. Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: John Johansen <john.johhansen@canonical.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2025-10-22T23:24:23+00:00 Paul Moore paul@paul-moore.com 2025-03-19T20:38:20+00:00 urn:sha1:ac3c47cece27014e34d2ec561d72c0a7c7de50a9 This will display all of the LSMs built into the kernel, regardless of if they are enabled or not. Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: John Johansen <john.johhansen@canonical.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2025-10-22T23:24:23+00:00 Paul Moore paul@paul-moore.com 2025-02-12T23:20:01+00:00 urn:sha1:5137e583ba2635b82667dc63cb35305750420411 Move away from an init specific init_debug() macro to a more general lsm_pr()/lsm_pr_cont()/lsm_pr_dbg() set of macros that are available both before and after init. In the process we do a number of minor changes to improve the LSM initialization output and cleanup the code somewhat. Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: John Johansen <john.johhansen@canonical.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2025-10-22T23:24:23+00:00 Paul Moore paul@paul-moore.com 2025-02-12T23:17:03+00:00 urn:sha1:450705334f698990804b470437f3014cee979486 Add function header comments for lsm_static_call_init() and early_security_init(), tweak the existing comment block for security_add_hooks(). Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: John Johansen <john.johhansen@canonical.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2025-10-22T23:24:22+00:00 Paul Moore paul@paul-moore.com 2025-02-12T23:10:37+00:00 urn:sha1:45a41d1394aa2ed0305f0560f93bb87be7192481 With only security_init() calling lsm_init_ordered, it makes little sense to keep lsm_init_ordered() as a standalone function. Fold lsm_init_ordered() into security_init(). Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: John Johansen <john.johhansen@canonical.com> Signed-off-by: Paul Moore <paul@paul-moore.com>