Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.19.11 2026-03-25T10:13:32+00:00 2026-03-25T10:13:32+00:00 Juergen Gross jgross@suse.com 2025-10-14T11:28:15+00:00 urn:sha1:916c52aed0cb5c5e3f2ba8a5e3ae52775b22e1a0 commit 1613462be621ad5103ec338a7b0ca0746ec4e5f1 upstream. When running in an unprivileged domU under Xen, the privcmd driver is restricted to allow only hypercalls against a target domain, for which the current domU is acting as a device model. Add a boot parameter "unrestricted" to allow all hypercalls (the hypervisor will still refuse destructive hypercalls affecting other guests). Make this new parameter effective only in case the domU wasn't started using secure boot, as otherwise hypercalls targeting the domU itself might result in violating the secure boot functionality. This is achieved by adding another lockdown reason, which can be tested to not being set when applying the "unrestricted" option. This is part of XSA-482 Signed-off-by: Juergen Gross <jgross@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-10-22T23:24:23+00:00 Paul Moore paul@paul-moore.com 2025-02-12T23:20:01+00:00 urn:sha1:5137e583ba2635b82667dc63cb35305750420411 Move away from an init specific init_debug() macro to a more general lsm_pr()/lsm_pr_cont()/lsm_pr_dbg() set of macros that are available both before and after init. In the process we do a number of minor changes to improve the LSM initialization output and cleanup the code somewhat. Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: John Johansen <john.johhansen@canonical.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2025-10-22T23:24:19+00:00 Paul Moore paul@paul-moore.com 2025-02-12T20:36:51+00:00 urn:sha1:250898ca335f337bc032a9693dc0a30a1cb85825 Move the LSM active count and lsm_id list declarations out of a header that is visible across the kernel and into a header that is limited to the LSM framework. This not only helps keep the include/linux headers smaller and cleaner, it helps prevent misuse of these variables. Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: John Johansen <john.johhansen@canonical.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2025-10-22T23:24:16+00:00 Paul Moore paul@paul-moore.com 2025-02-06T21:44:10+00:00 urn:sha1:67a4b6a89b99aff0883114e4ecba4b11aedc29a5 Continue to pull code out of security/security.c to help improve readability by pulling all of the LSM framework initialization code out into a new file. No code changes. Reviewed-by: Kees Cook <kees@kernel.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2025-10-22T23:24:15+00:00 Paul Moore paul@paul-moore.com 2025-02-11T00:20:58+00:00 urn:sha1:a5e7c17c810052e94dae36f1a976a052f4490458 In an effort to decompose security/security.c somewhat to make it less twisted and unwieldy, pull out the LSM notifier code into a new file as it is fairly well self-contained. No code changes. Reviewed-by: Kees Cook <kees@kernel.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2025-10-03T18:14:02+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-10-03T18:14:02+00:00 urn:sha1:33fc69a05c50f00f1218408a56348bcab95b831d Pull d_name audit update from Al Viro: "Simplifying ->d_name audits, easy part. Turn dentry->d_name into an anon union of const struct qsrt (d_name itself) and a writable alias (__d_name). With constification of some struct qstr * arguments of functions that get &dentry->d_name passed to them, that ends up with all modifications provably done only in fs/dcache.c (and a fairly small part of it). Any new places doing modifications will be easy to find - grep for __d_name will suffice" * tag 'pull-qstr' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: make it easier to catch those who try to modify ->d_name generic_ci_validate_strict_name(): constify name argument afs_dir_search: constify qstr argument afs_edit_dir_{add,remove}(): constify qstr argument exfat_find(): constify qstr argument security_dentry_init_security(): constify qstr argument 2025-09-30T15:48:29+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-09-30T15:48:29+00:00 urn:sha1:76f01a4f22c465bdb63ee19aaf5b682c5893ba96 Pull lsm updates from Paul Moore: - Move the management of the LSM BPF security blobs into the framework In order to enable multiple LSMs we need to allocate and free the various security blobs in the LSM framework and not the individual LSMs as they would end up stepping all over each other. - Leverage the lsm_bdev_alloc() helper in lsm_bdev_alloc() Make better use of our existing helper functions to reduce some code duplication. - Update the Rust cred code to use 'sync::aref' Part of a larger effort to move the Rust code over to the 'sync' module. - Make CONFIG_LSM dependent on CONFIG_SECURITY As the CONFIG_LSM Kconfig setting is an ordered list of the LSMs to enable a boot, it obviously doesn't make much sense to enable this when CONFIG_SECURITY is disabled. - Update the LSM and CREDENTIALS sections in MAINTAINERS with Rusty bits Add the Rust helper files to the associated LSM and CREDENTIALS entries int the MAINTAINERS file. We're trying to improve the communication between the two groups and making sure we're all aware of what is going on via cross-posting to the relevant lists is a good way to start. * tag 'lsm-pr-20250926' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm: lsm: CONFIG_LSM can depend on CONFIG_SECURITY MAINTAINERS: add the associated Rust helper to the CREDENTIALS section MAINTAINERS: add the associated Rust helper to the LSM section rust,cred: update AlwaysRefCounted import to sync::aref security: use umax() to improve code lsm,selinux: Add LSM blob support for BPF objects lsm: use lsm_blob_alloc() in lsm_bdev_alloc() 2025-09-30T15:22:16+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-09-30T15:22:16+00:00 urn:sha1:56a0810d8ca406648fe01ec996ade1d61bf8ec8d Pull audit updates from Paul Moore: - Proper audit support for multiple LSMs As the audit subsystem predated the work to enable multiple LSMs, some additional work was needed to support logging the different LSM labels for the subjects/tasks and objects on the system. Casey's patches add new auxillary records for subjects and objects that convey the additional labels. - Ensure fanotify audit events are always generated Generally speaking security relevant subsystems always generate audit events, unless explicitly ignored. However, up to this point fanotify events had been ignored by default, but starting with this pull request fanotify follows convention and generates audit events by default. - Replace an instance of strcpy() with strscpy() - Minor indentation, style, and comment fixes * tag 'audit-pr-20250926' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit: audit: fix skb leak when audit rate limit is exceeded audit: init ab->skb_list earlier in audit_buffer_alloc() audit: add record for multiple object contexts audit: add record for multiple task security contexts lsm: security_lsmblob_to_secctx module selection audit: create audit_stamp structure audit: add a missing tab audit: record fanotify event regardless of presence of rules audit: fix typo in auditfilter.c comment audit: Replace deprecated strcpy() with strscpy() audit: fix indentation in audit_log_exit() 2025-09-16T01:08:33+00:00 Al Viro viro@zeniv.linux.org.uk 2024-02-05T02:25:18+00:00 urn:sha1:f9fadf23c7f1a0df72ef50a873e1bd3bd4631ec1 Nothing outside of fs/dcache.c has any business modifying dentry names; passing &dentry->d_name as an argument should have that argument declared as a const pointer. Acked-by: Casey Schaufler <casey@schaufler-ca.com> # smack part Acked-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2025-09-01T13:31:34+00:00 Simon Schuster schuster.simon@siemens-energy.com 2025-09-01T13:09:51+00:00 urn:sha1:edd3cb05c00a040dc72bed20b14b5ba865188bce With the introduction of clone3 in commit 7f192e3cd316 ("fork: add clone3") the effective bit width of clone_flags on all architectures was increased from 32-bit to 64-bit, with a new type of u64 for the flags. However, for most consumers of clone_flags the interface was not changed from the previous type of unsigned long. While this works fine as long as none of the new 64-bit flag bits (CLONE_CLEAR_SIGHAND and CLONE_INTO_CGROUP) are evaluated, this is still undesirable in terms of the principle of least surprise. Thus, this commit fixes all relevant interfaces of callees to sys_clone3/copy_process (excluding the architecture-specific copy_thread) to consistently pass clone_flags as u64, so that no truncation to 32-bit integers occurs on 32-bit architectures. Signed-off-by: Simon Schuster <schuster.simon@siemens-energy.com> Link: https://lore.kernel.org/20250901-nios2-implement-clone3-v2-2-53fcf5577d57@siemens-energy.com Acked-by: David Hildenbrand <david@redhat.com> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Reviewed-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Christian Brauner <brauner@kernel.org>