Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7f85565a authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'selinux-pr-20170831' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux 

Pull selinux updates from Paul Moore:
 "A relatively quiet period for SELinux, 11 patches with only two/three
  having any substantive changes.

  These noteworthy changes include another tweak to the NNP/nosuid
  handling, per-file labeling for cgroups, and an object class fix for
  AF_UNIX/SOCK_RAW sockets; the rest of the changes are minor tweaks or
  administrative updates (Stephen's email update explains the file
  explosion in the diffstat).

  Everything passes the selinux-testsuite"

[ Also a couple of small patches from the security tree from Tetsuo
  Handa for Tomoyo and LSM cleanup. The separation of security policy
  updates wasn't all that clean - Linus ]

* tag 'selinux-pr-20170831' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: constify nf_hook_ops
  selinux: allow per-file labeling for cgroupfs
  lsm_audit: update my email address
  selinux: update my email address
  MAINTAINERS: update the NetLabel and Labeled Networking information
  selinux: use GFP_NOWAIT in the AVC kmem_caches
  selinux: Generalize support for NNP/nosuid SELinux domain transitions
  selinux: genheaders should fail if too many permissions are defined
  selinux: update the selinux info in MAINTAINERS
  credits: update Paul Moore's info
  selinux: Assign proper class to PF_UNIX/SOCK_RAW sockets
  tomoyo: Update URLs in Documentation/admin-guide/LSM/tomoyo.rst
  LSM: Remove security_task_create() hook.
parents 680352bd 0c3014f2

CREDITS

+3 −5
Original line number Diff line number Diff line
@@ -2606,11 +2606,9 @@ E: tmolina@cablespeed.com 
D: bug fixes, documentation, minor hackery



N: Paul Moore

E: paul.moore@hp.com

D: NetLabel author

S: Hewlett-Packard

S: 110 Spit Brook Road

S: Nashua, NH 03062

E: paul@paul-moore.com

W: http://www.paul-moore.com

D: NetLabel, SELinux, audit



N: James Morris

E: jmorris@namei.org

Documentation/admin-guide/LSM/tomoyo.rst

+12 −12
Original line number Diff line number Diff line
@@ -9,8 +9,8 @@ TOMOYO is a name-based MAC extension (LSM module) for the Linux kernel. 


LiveCD-based tutorials are available at



http://tomoyo.sourceforge.jp/1.7/1st-step/ubuntu10.04-live/

http://tomoyo.sourceforge.jp/1.7/1st-step/centos5-live/

http://tomoyo.sourceforge.jp/1.8/ubuntu12.04-live.html

http://tomoyo.sourceforge.jp/1.8/centos6-live.html



Though these tutorials use non-LSM version of TOMOYO, they are useful for you

to know what TOMOYO is.
@@ -21,35 +21,35 @@ How to enable TOMOYO? 
Build the kernel with ``CONFIG_SECURITY_TOMOYO=y`` and pass ``security=tomoyo`` on

kernel's command line.



Please see http://tomoyo.sourceforge.jp/2.3/ for details.

Please see http://tomoyo.osdn.jp/2.5/ for details.



Where is documentation?

=======================



User <-> Kernel interface documentation is available at

http://tomoyo.sourceforge.jp/2.3/policy-reference.html .

http://tomoyo.osdn.jp/2.5/policy-specification/index.html .



Materials we prepared for seminars and symposiums are available at

http://sourceforge.jp/projects/tomoyo/docs/?category_id=532&language_id=1 .

http://osdn.jp/projects/tomoyo/docs/?category_id=532&language_id=1 .

Below lists are chosen from three aspects.



What is TOMOYO?

  TOMOYO Linux Overview

    http://sourceforge.jp/projects/tomoyo/docs/lca2009-takeda.pdf

    http://osdn.jp/projects/tomoyo/docs/lca2009-takeda.pdf

  TOMOYO Linux: pragmatic and manageable security for Linux

    http://sourceforge.jp/projects/tomoyo/docs/freedomhectaipei-tomoyo.pdf

    http://osdn.jp/projects/tomoyo/docs/freedomhectaipei-tomoyo.pdf

  TOMOYO Linux: A Practical Method to Understand and Protect Your Own Linux Box

    http://sourceforge.jp/projects/tomoyo/docs/PacSec2007-en-no-demo.pdf

    http://osdn.jp/projects/tomoyo/docs/PacSec2007-en-no-demo.pdf



What can TOMOYO do?

  Deep inside TOMOYO Linux

    http://sourceforge.jp/projects/tomoyo/docs/lca2009-kumaneko.pdf

    http://osdn.jp/projects/tomoyo/docs/lca2009-kumaneko.pdf

  The role of "pathname based access control" in security.

    http://sourceforge.jp/projects/tomoyo/docs/lfj2008-bof.pdf

    http://osdn.jp/projects/tomoyo/docs/lfj2008-bof.pdf



History of TOMOYO?

  Realities of Mainlining

    http://sourceforge.jp/projects/tomoyo/docs/lfj2008.pdf

    http://osdn.jp/projects/tomoyo/docs/lfj2008.pdf



What is future plan?

====================
@@ -60,6 +60,6 @@ multiple LSM modules at the same time. We feel sorry that you have to give up 
SELinux/SMACK/AppArmor etc. when you want to use TOMOYO.



We hope that LSM becomes stackable in future. Meanwhile, you can use non-LSM

version of TOMOYO, available at http://tomoyo.sourceforge.jp/1.7/ .

version of TOMOYO, available at http://tomoyo.osdn.jp/1.8/ .

LSM version of TOMOYO is a subset of non-LSM version of TOMOYO. We are planning

to port non-LSM version's functionalities to LSM versions.

MAINTAINERS

+17 −12
Original line number Diff line number Diff line
@@ -9298,15 +9298,6 @@ F: net/*/netfilter/ 
F:	net/netfilter/

F:	net/bridge/br_netfilter*.c



NETLABEL

M:	Paul Moore <paul@paul-moore.com>

W:	http://netlabel.sf.net

L:	netdev@vger.kernel.org

S:	Maintained

F:	Documentation/netlabel/

F:	include/net/netlabel.h

F:	net/netlabel/



NETROM NETWORK LAYER

M:	Ralf Baechle <ralf@linux-mips.org>

L:	linux-hams@vger.kernel.org
@@ -9434,10 +9425,23 @@ F: net/ipv6/ 
F:	include/net/ip*

F:	arch/x86/net/*



NETWORKING [LABELED] (NetLabel, CIPSO, Labeled IPsec, SECMARK)

NETWORKING [LABELED] (NetLabel, Labeled IPsec, SECMARK)

M:	Paul Moore <paul@paul-moore.com>

W:	https://github.com/netlabel

L:	netdev@vger.kernel.org

L:	linux-security-module@vger.kernel.org

S:	Maintained

F:	Documentation/netlabel/

F:	include/net/calipso.h

F:	include/net/cipso_ipv4.h

F:	include/net/netlabel.h

F:	include/uapi/linux/netfilter/xt_SECMARK.h

F:	include/uapi/linux/netfilter/xt_CONNSECMARK.h

F:	net/netlabel/

F:	net/ipv4/cipso_ipv4.c

F:	net/ipv6/calipso.c

F:	net/netfilter/xt_CONNSECMARK.c

F:	net/netfilter/xt_SECMARK.c



NETWORKING [TLS]

M:	Ilya Lesokhin <ilyal@mellanox.com>
@@ -12023,8 +12027,9 @@ M: Paul Moore <paul@paul-moore.com> 
M:	Stephen Smalley <sds@tycho.nsa.gov>

M:	Eric Paris <eparis@parisplace.org>

L:	selinux@tycho.nsa.gov (moderated for non-subscribers)

W:	http://selinuxproject.org

T:	git git://git.infradead.org/users/pcmoore/selinux

W:	https://selinuxproject.org

W:	https://github.com/SELinuxProject

T:	git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git

S:	Supported

F:	include/linux/selinux*

F:	security/selinux/

include/linux/lsm_audit.h

+1 −1
Original line number Diff line number Diff line
@@ -4,7 +4,7 @@ 
 *

 * Author : Etienne BASSET  <etienne.basset@ensta.org>

 *

 * All credits to : Stephen Smalley, <sds@epoch.ncsc.mil>

 * All credits to : Stephen Smalley, <sds@tycho.nsa.gov>

 * All BUGS to : Etienne BASSET  <etienne.basset@ensta.org>

 */

#ifndef _LSM_COMMON_LOGGING_

include/linux/lsm_hooks.h

+0 −7
Original line number Diff line number Diff line
@@ -528,11 +528,6 @@ 
 *

 * Security hooks for task operations.

 *

 * @task_create:

 *	Check permission before creating a child process.  See the clone(2)

 *	manual page for definitions of the @clone_flags.

 *	@clone_flags contains the flags indicating what should be shared.

 *	Return 0 if permission is granted.

 * @task_alloc:

 *	@task task being allocated.

 *	@clone_flags contains the flags indicating what should be shared.
@@ -1505,7 +1500,6 @@ union security_list_options { 
	int (*file_receive)(struct file *file);

	int (*file_open)(struct file *file, const struct cred *cred);



	int (*task_create)(unsigned long clone_flags);

	int (*task_alloc)(struct task_struct *task, unsigned long clone_flags);

	void (*task_free)(struct task_struct *task);

	int (*cred_alloc_blank)(struct cred *cred, gfp_t gfp);
@@ -1779,7 +1773,6 @@ struct security_hook_heads { 
	struct list_head file_send_sigiotask;

	struct list_head file_receive;

	struct list_head file_open;

	struct list_head task_create;

	struct list_head task_alloc;

	struct list_head task_free;

	struct list_head cred_alloc_blank;