[GIT PULL] selinux/selinux-pr-20260615

[GIT PULL] selinux/selinux-pr-20260615

[Paul Moore]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 3477 bytes --]

Linus,

A number of SELinux patches for Linux v7.2, almost all of which are
either minor fixes or hardening patches.

- Additional verifications when loading new SELinux policy

Multiple patches by Christian Göttsche to add additional validations to
the code responsible for loading and parsing SELinux policy as it is
loaded into the kernel.

- Avoid nontransitive comparisons comparisons in our sorting code

Done to prevent unexpected sorting results due to overflow.  Qualys
documented a similar issue with glibc:
https://www.qualys.com/2024/01/30/qsort.txt

- Consistently use u16 for SELinux security classes

- Move from page allocations to kmalloc() based allocations

Unfortunately one of these patches had to be reverted, but you should
see a fixed version during the next merge window.

- Move from kmalloc_objs() to kzalloc_objs() in the policy load code

- Reorder sel_kill_sb() slightly to match other pseudo filesystems

- Simplify things with QSTR() instead of QSTR_INIT()

- Minor comment typo fixes

Paul

--
The following changes since commit 254f49634ee16a731174d2ae34bc50bd5f45e731:

  Linux 7.1-rc1 (2026-04-26 14:19:00 -0700)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
    tags/selinux-pr-20260615

for you to fetch changes up to 033182baeab63ce96a6eb8aef1a6cd444fcf9519:

  selinux: revert use of __getname() in selinux_genfs_get_sid()
    (2026-05-29 11:24:37 -0400)

----------------------------------------------------------------
selinux/stable-7.2 PR 20260615
----------------------------------------------------------------

Christian Göttsche (9):
      selinux: avoid nontransitive comparison
      selinux: use u16 for security classes
      selinux: more strict policy parsing
      selinux: check length fields in policies
      selinux: check type attr map overflows
      selinux: reorder policydb_index()
      selinux: beef up isvalid checks
      selinux: more strict bounds check
      selinux: check for simple types

Kalevi Kolttonen (2):
      selinux: comment typo fix in selinuxfs.c
      selinux: comment spelling fix in ibpkey.c

Mike Rapoport (Microsoft) (2):
      selinux: use k[mz]alloc() to allocate temporary buffers
      selinux: hooks: use __getname() to allocate path buffer

Paul Moore (1):
      selinux: revert use of __getname() in selinux_genfs_get_sid()

Stephen Smalley (2):
      selinux: fix sel_kill_sb()
      selinux: switch two allocations to use kzalloc_objs()

Thorsten Blum (1):
      selinux: use QSTR() instead of QSTR_INIT() in init_sel_fs

 security/selinux/ibpkey.c           |    2 
 security/selinux/include/security.h |    1 
 security/selinux/selinuxfs.c        |   27 +-
 security/selinux/ss/avtab.c         |   49 +++
 security/selinux/ss/avtab.h         |   13 +
 security/selinux/ss/conditional.c   |   39 ++-
 security/selinux/ss/constraint.h    |    1 
 security/selinux/ss/ebitmap.c       |   27 ++
 security/selinux/ss/ebitmap.h       |    1 
 security/selinux/ss/hashtab.h       |    4 
 security/selinux/ss/mls.c           |   66 +++--
 security/selinux/ss/mls.h           |    6 
 security/selinux/ss/policydb.c      |  358 ++++++++++++++++++++++------
 security/selinux/ss/policydb.h      |   56 +++-
 security/selinux/ss/services.c      |   13 -
 security/selinux/ss/symtab.c        |    2 
 security/selinux/ss/symtab.h        |    2 
 17 files changed, 512 insertions(+), 155 deletions(-)

--
paul-moore.com

Re: [GIT PULL] selinux/selinux-pr-20260615

[Linus Torvalds]

On Tue, 16 Jun 2026 at 03:55, Paul Moore <paul@paul-moore.com> wrote:
>
> - Avoid nontransitive comparisons comparisons in our sorting code
>
> Done to prevent unexpected sorting results due to overflow.  Qualys
> documented a similar issue with glibc:
> https://www.qualys.com/2024/01/30/qsort.txt

So this is clearly worth fixing in the selinux code regardless, but
did anybody check whether our sorting routines in lib/sort.c actually
have any overflow issues with non-transitive comparison functions?

Strange sort order may be confusing but tends to be largely harmless
(the confusion might then obviously cause other issues)

 The whole "confuses the sort function enough to result in bad
accesses" might be worth fixing in lib/sort.c if somebody looked into
it...

                 Linus

Re: [GIT PULL] selinux/selinux-pr-20260615

[pr-tracker-bot]

The pull request you sent on Mon, 15 Jun 2026 22:55:42 -0400:

> https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git tags/selinux-pr-20260615

has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/231e9d447ea97033ae8b8dff7b910e6269d7c5af

Thank you!

-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/prtracker.html

Re: [GIT PULL] selinux/selinux-pr-20260615

[Kuan-Wei Chiu]

Hi Linus,

On Wed, Jun 17, 2026 at 12:54:44PM +0100, Linus Torvalds wrote:
> On Tue, 16 Jun 2026 at 03:55, Paul Moore <paul@paul-moore.com> wrote:
> >
> > - Avoid nontransitive comparisons comparisons in our sorting code
> >
> > Done to prevent unexpected sorting results due to overflow.  Qualys
> > documented a similar issue with glibc:
> > https://www.qualys.com/2024/01/30/qsort.txt
> 
> So this is clearly worth fixing in the selinux code regardless, but
> did anybody check whether our sorting routines in lib/sort.c actually
> have any overflow issues with non-transitive comparison functions?
> 
> Strange sort order may be confusing but tends to be largely harmless
> (the confusion might then obviously cause other issues)
> 
>  The whole "confuses the sort function enough to result in bad
> accesses" might be worth fixing in lib/sort.c if somebody looked into
> it...
> 
Since I made most of the recent changes to lib/sort.c, I can
hopefully shed some light on this.

With the current Linux lib/sort.c implementation, passing a compare
function that lacks transitivity will absolutely **not** lead to any
out-of-bounds memory accesses. Unlike glibc which defaults to merge
sort and falls back to heapsort if malloc fails, the kernel uses a
strict in-place heapsort. Because of this, the compare and swap
operations will always operate safely within the boundaries of the
provided array.

However, it still inevitably leads to unexpected sorting results. This
has caused actual user-visible issues in the past (the previous acpi
breakage being an example [1][2]). It turns out it is easy for people
to accidentally write comparators that violate transitivity, which is
why I submitted a patch previously to emphasize the properties a
comparator must satisfy. [3]

I have actually thought about whether we could detect transitivity
violations at runtime. But if we map this to graph theory: treating
each element as a node and the comparison results as directed edges,
detecting a violation is equivalent to finding a cycle in the graph.
Doing this would require an O(n^2) time complexity, which is obviously
unacceptable at runtime.

[1]: https://lore.kernel.org/lkml/70674dc7-5586-4183-8953-8095567e73df@gmail.com/
[2]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=233323f9b9f828cd7cd5145ad811c1990b692542
[3]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4e0a15f8b4bd47548032acccdbeb5b9083b3675e

Regards,
Kuan-Wei