Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.4.15 2023-04-24T18:33:07+00:00 2023-04-24T18:33:07+00:00 Linus Torvalds torvalds@linux-foundation.org 2023-04-24T18:33:07+00:00 urn:sha1:5af4b523ba9be70372eafab02ebfb9babf77ec7d Pull tomoyo update from Tetsuo Handa: "One cleanup patch from Vlastimil Babka" * tag 'tomoyo-pr-20230424' of git://git.osdn.net/gitroot/tomoyo/tomoyo-test1: tomoyo: replace tomoyo_round2() with kmalloc_size_roundup() 2023-03-20T16:34:23+00:00 Paul Moore paul@paul-moore.com 2023-03-17T16:43:07+00:00 urn:sha1:f22f9aaf6c3d92ebd5ad9e67acc03afebaaeb289 After working with the larger SELinux-based distros for several years, we're finally at a place where we can disable the SELinux runtime disable functionality. The existing kernel deprecation notice explains the functionality and why we want to remove it: The selinuxfs "disable" node allows SELinux to be disabled at runtime prior to a policy being loaded into the kernel. If disabled via this mechanism, SELinux will remain disabled until the system is rebooted. The preferred method of disabling SELinux is via the "selinux=0" boot parameter, but the selinuxfs "disable" node was created to make it easier for systems with primitive bootloaders that did not allow for easy modification of the kernel command line. Unfortunately, allowing for SELinux to be disabled at runtime makes it difficult to secure the kernel's LSM hooks using the "__ro_after_init" feature. It is that last sentence, mentioning the '__ro_after_init' hardening, which is the real motivation for this change, and if you look at the diffstat you'll see that the impact of this patch reaches across all the different LSMs, helping prevent tampering at the LSM hook level. From a SELinux perspective, it is important to note that if you continue to disable SELinux via "/etc/selinux/config" it may appear that SELinux is disabled, but it is simply in an uninitialized state. If you load a policy with `load_policy -i`, you will see SELinux come alive just as if you had loaded the policy during early-boot. It is also worth noting that the "/sys/fs/selinux/disable" file is always writable now, regardless of the Kconfig settings, but writing to the file has no effect on the system, other than to display an error on the console if a non-zero/true value is written. Finally, in the several years where we have been working on deprecating this functionality, there has only been one instance of someone mentioning any user visible breakage. In this particular case it was an individual's kernel test system, and the workaround documented in the deprecation notice ("selinux=0" on the kernel command line) resolved the issue without problem. Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2023-03-01T14:46:12+00:00 Vlastimil Babka vbabka@suse.cz 2023-02-28T09:35:56+00:00 urn:sha1:c120c98486c2855d2ae266c2af63d26f61dfcc4e It seems tomoyo has had its own implementation of what kmalloc_size_roundup() does today. Remove the function tomoyo_round2() and replace it with kmalloc_size_roundup(). It provides more accurate results and doesn't contain a while loop. Signed-off-by: Vlastimil Babka <vbabka@suse.cz> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> 2023-01-13T14:11:38+00:00 Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp 2023-01-13T14:11:38+00:00 urn:sha1:fa17087e244263627a01d6a9b76b8fdaf410de34 SourceForge.JP was renamed to OSDN in May 2015. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> 2023-01-13T14:10:03+00:00 Paul E. McKenney paulmck@kernel.org 2023-01-13T14:08:04+00:00 urn:sha1:1ed8a46256771de283772d482403691807214cf7 Now that the SRCU Kconfig option is unconditionally selected, there is no longer any point in selecting it. Therefore, remove the "select SRCU" Kconfig statements. Signed-off-by: Paul E. McKenney <paulmck@kernel.org> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> 2023-01-09T12:46:50+00:00 Masahiro Yamada masahiroy@kernel.org 2023-01-08T13:47:26+00:00 urn:sha1:80f8be7af03ffe90dc4df998b16bfa212afbdde9 bin2c was, as its name implies, introduced to convert a binary file to C code. However, I did not see any good reason ever for using this tool because using the .incbin directive is much faster, and often results in simpler code. Most of the uses of bin2c have been killed, for example: - 13610aa908dc ("kernel/configs: use .incbin directive to embed config_data.gz") - 4c0f032d4963 ("s390/purgatory: Omit use of bin2c") security/tomoyo/Makefile has even less reason for using bin2c because the policy files are text data. So, sed is enough for converting them to C string literals, and what is nicer, generates human-readable builtin-policy.h. This is the last user of bin2c. After this commit lands, bin2c will be removed. Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> [penguin-kernel: Update sed script to also escape backslash and quote ] Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> 2023-01-07T12:31:35+00:00 Masahiro Yamada masahiroy@kernel.org 2023-01-07T07:47:42+00:00 urn:sha1:df4840c1b880136fea97a1d64724995778c2475f When CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING=y, builtin-policy.h is unneeded. Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> 2023-01-07T12:30:48+00:00 Masahiro Yamada masahiroy@kernel.org 2023-01-07T07:47:41+00:00 urn:sha1:eaf2213ba563b2d74a1f2c13a6b258273f689802 If *.conf.default is updated, builtin-policy.h should be rebuilt, but this does not work when compiled with O= option. [Without this commit] $ touch security/tomoyo/policy/exception_policy.conf.default $ make O=/tmp security/tomoyo/ make[1]: Entering directory '/tmp' GEN Makefile CALL /home/masahiro/ref/linux/scripts/checksyscalls.sh DESCEND objtool make[1]: Leaving directory '/tmp' [With this commit] $ touch security/tomoyo/policy/exception_policy.conf.default $ make O=/tmp security/tomoyo/ make[1]: Entering directory '/tmp' GEN Makefile CALL /home/masahiro/ref/linux/scripts/checksyscalls.sh DESCEND objtool POLICY security/tomoyo/builtin-policy.h CC security/tomoyo/common.o AR security/tomoyo/built-in.a make[1]: Leaving directory '/tmp' $(srctree)/ is essential because $(wildcard ) does not follow VPATH. Fixes: f02dee2d148b ("tomoyo: Do not generate empty policy files") Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> 2022-10-19T07:01:40+00:00 Günther Noack gnoack3000@gmail.com 2022-10-18T18:22:06+00:00 urn:sha1:3350607dc5637be2563f484dcfe2fed456f3d4ff Like path_truncate, the file_truncate hook also restricts file truncation, but is called in the cases where truncation is attempted on an already-opened file. This is required in a subsequent commit to handle ftruncate() operations differently to truncate() operations. Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Acked-by: John Johansen <john.johansen@canonical.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20221018182216.301684-2-gnoack3000@gmail.com Signed-off-by: Mickaël Salaün <mic@digikod.net> 2022-08-21T15:50:42+00:00 Al Viro viro@zeniv.linux.org.uk 2022-01-31T02:15:36+00:00 urn:sha1:467cf8ef88d3124c189e2ff4726fe5247a88fe46 Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>