Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.18.10 2018-05-03T22:55:23+00:00 2018-05-03T22:55:23+00:00 Björn Töpel bjorn.topel@intel.com 2018-05-02T11:01:22+00:00 urn:sha1:68e8b849b221b37a78a110a0307717d45e3593a0 Buildable skeleton of AF_XDP without any functionality. Just what it takes to register a new address family. Signed-off-by: Björn Töpel <bjorn.topel@intel.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> 2018-04-06T22:39:26+00:00 Linus Torvalds torvalds@linux-foundation.org 2018-04-06T22:39:26+00:00 urn:sha1:9eda2d2dca830f0f8923b1f377d0fb70f576af1d Pull SELinux updates from Paul Moore: "A bigger than usual pull request for SELinux, 13 patches (lucky!) along with a scary looking diffstat. Although if you look a bit closer, excluding the usual minor tweaks/fixes, there are really only two significant changes in this pull request: the addition of proper SELinux access controls for SCTP and the encapsulation of a lot of internal SELinux state. The SCTP changes are the result of a multi-month effort (maybe even a year or longer?) between the SELinux folks and the SCTP folks to add proper SELinux controls. A special thanks go to Richard for seeing this through and keeping the effort moving forward. The state encapsulation work is a bit of janitorial work that came out of some early work on SELinux namespacing. The question of namespacing is still an open one, but I believe there is some real value in the encapsulation work so we've split that out and are now sending that up to you" * tag 'selinux-pr-20180403' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: wrap AVC state selinux: wrap selinuxfs state selinux: fix handling of uninitialized selinux state in get_bools/classes selinux: Update SELinux SCTP documentation selinux: Fix ltp test connect-syscall failure selinux: rename the {is,set}_enforcing() functions selinux: wrap global selinux state selinux: fix typo in selinux_netlbl_sctp_sk_clone declaration selinux: Add SCTP support sctp: Add LSM hooks sctp: Add ip option support security: Add support for SCTP security hooks netlabel: If PF_INET6, check sk_buff ip header version 2018-03-29T17:47:53+00:00 Kirill Tkhai ktkhai@virtuozzo.com 2018-03-29T16:20:56+00:00 urn:sha1:350311aab4c0b2477f9cf3fb03cef2e4cd6c3b18 rt_genid_bump_all() consists of ipv4 and ipv6 part. ipv4 part is incrementing of net::ipv4::rt_genid, and I see many places, where it's read without rtnl_lock(). ipv6 part calls __fib6_clean_all(), and it's also called without rtnl_lock() in other places. So, rtnl_lock() here was used to iterate net_namespace_list only, and we can remove it. Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2018-03-29T17:47:53+00:00 Kirill Tkhai ktkhai@virtuozzo.com 2018-03-29T16:20:32+00:00 urn:sha1:f0b07bb151b098d291fd1fd71ef7a2df56fb124a rtnl_lock() is used everywhere, and contention is very high. When someone wants to iterate over alive net namespaces, he/she has no a possibility to do that without exclusive lock. But the exclusive rtnl_lock() in such places is overkill, and it just increases the contention. Yes, there is already for_each_net_rcu() in kernel, but it requires rcu_read_lock(), and this can't be sleepable. Also, sometimes it may be need really prevent net_namespace_list growth, so for_each_net_rcu() is not fit there. This patch introduces new rw_semaphore, which will be used instead of rtnl_mutex to protect net_namespace_list. It is sleepable and allows not-exclusive iterations over net namespaces list. It allows to stop using rtnl_lock() in several places (what is made in next patches) and makes less the time, we keep rtnl_mutex. Here we just add new lock, while the explanation of we can remove rtnl_lock() there are in next patches. Fine grained locks generally are better, then one big lock, so let's do that with net_namespace_list, while the situation allows that. Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2018-03-20T20:58:17+00:00 Stephen Smalley sds@tycho.nsa.gov 2018-03-05T16:47:56+00:00 urn:sha1:6b6bc6205d98796361962ee282a063f18ba8dc57 Wrap the AVC state within the selinux_state structure and pass it explicitly to all AVC functions. The AVC private state is encapsulated in a selinux_avc structure that is referenced from the selinux_state. This change should have no effect on SELinux behavior or APIs (userspace or LSM). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Reviewed-by: James Morris <james.morris@microsoft.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2018-03-02T19:18:55+00:00 Paul Moore paul@paul-moore.com 2018-03-01T22:38:30+00:00 urn:sha1:e5a5ca96a42ca7eee19cf8694377308771350950 Rename is_enforcing() to enforcing_enabled() and enforcing_set() to set_enforcing(). Signed-off-by: Paul Moore <paul@paul-moore.com> 2018-03-01T23:48:02+00:00 Stephen Smalley sds@tycho.nsa.gov 2018-03-01T23:48:02+00:00 urn:sha1:aa8e712cee93d520e96a2ca8e3a20f807c937e3f Define a selinux state structure (struct selinux_state) for global SELinux state and pass it explicitly to all security server functions. The public portion of the structure contains state that is used throughout the SELinux code, such as the enforcing mode. The structure also contains a pointer to a selinux_ss structure whose definition is private to the security server and contains security server specific state such as the policy database and SID table. This change should have no effect on SELinux behavior or APIs (userspace or LSM). It merely wraps SELinux state and passes it explicitly as needed. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> [PM: minor fixups needed due to collisions with the SCTP patches] Signed-off-by: Paul Moore <paul@paul-moore.com> 2018-02-26T22:45:32+00:00 Arnd Bergmann arnd@arndb.de 2018-02-23T21:12:09+00:00 urn:sha1:2572f5b4245abf2b4e5a86cabf65a50efda09aac A missing 'struct' keyword caused a build error when CONFIG_NETLABEL is disabled: In file included from security/selinux/hooks.c:99: security/selinux/include/netlabel.h:135:66: error: unknown type name 'sock' static inline void selinux_netlbl_sctp_sk_clone(struct sock *sk, sock *newsk) ^~~~ security/selinux/hooks.c: In function 'selinux_sctp_sk_clone': security/selinux/hooks.c:5188:2: error: implicit declaration of function 'selinux_netlbl_sctp_sk_clone'; did you mean 'selinux_netlbl_inet_csk_clone'? [-Werror=implicit-function-declaration] Fixes: db97c9f9d312 ("selinux: Add SCTP support") Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Paul Moore <paul@paul-moore.com> 2018-02-26T22:45:25+00:00 Richard Haines richard_c_haines@btinternet.com 2018-02-13T20:57:18+00:00 urn:sha1:d452930fd3b9031e59abfeddb2fa383f1403d61a The SELinux SCTP implementation is explained in: Documentation/security/SELinux-sctp.rst Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2018-01-31T22:16:13+00:00 Linus Torvalds torvalds@linux-foundation.org 2018-01-31T22:16:13+00:00 urn:sha1:2cfa1cd3da14814a1e9ec6a4fce8612637d3ee3d Pull selinux updates from Paul Moore: "A small pull request this time, just three patches, and one of these is just a comment update (swap the FSF physical address for a URL). The other two patches are small bug fixes found by szybot/syzkaller; they individual patch descriptions should tell you all you ever wanted to know" * tag 'selinux-pr-20180130' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: skip bounded transition processing if the policy isn't loaded selinux: ensure the context is NUL terminated in security_context_to_sid_core() security: replace FSF address with web source in license notices