From: Paul Moore <paul@paul-moore.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: selinux@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [GIT PULL] selinux/selinux-pr-20260203
Date: Tue, 03 Feb 2026 23:10:38 -0500 [thread overview]
Message-ID: <74f395ba13926ab0391bd8714abc6036@paul-moore.com> (raw)
Linus,
This is a bit early, but due to some personal scheduling I'd rather send
this to you now, and you always mention you prefer to get pull requests
early (perhaps not this early?) so here is hoping this is a win-win.
Here are the highlights for the SELinux changes queued for the Linux v7.0
merge window:
- Add support for SELinux based access control of BPF tokens
We worked with the BPF devs to add the necessary LSM hooks when the BPF
token code was first introduced, but it took us a bit longer to add the
SELinux wiring and support. In order to preserve existing token-unaware
SELinux policies, the new code is gated by the new "bpf_token_perms"
policy capability.
Additional details regarding the new permissions, and behaviors can be
found in the associated commit.
- Remove a BUG() from the SELinux capability code
We now perform a similar check during compile time so we can safely
remove the BUG() call.
Paul
--
The following changes since commit 8f0b4cce4481fb22653697cced8d0d04027cb1e8:
Linux 6.19-rc1 (2025-12-14 16:05:07 +1200)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
tags/selinux-pr-20260203
for you to fetch changes up to ea64aa57d596c4cbe518ffd043c52ef64089708d:
selinux: drop the BUG() in cred_has_capability()
(2026-01-14 16:26:21 -0500)
----------------------------------------------------------------
selinux/stable-7.0 PR 20260203
----------------------------------------------------------------
Eric Suen (1):
selinux: add support for BPF token access control
Paul Moore (3):
selinux: move the selinux_blob_sizes struct
selinux: fix a capabilities parsing typo in
selinux_bpf_token_capable()
selinux: drop the BUG() in cred_has_capability()
security/selinux/hooks.c | 163 +++++++++++++++++----
security/selinux/include/classmap.h | 2
security/selinux/include/objsec.h | 3
security/selinux/include/policycap.h | 1
security/selinux/include/policycap_names.h | 1
security/selinux/include/security.h | 6
6 files changed, 151 insertions(+), 25 deletions(-)
--
paul-moore.com
next reply other threads:[~2026-02-04 4:10 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-04 4:10 Paul Moore [this message]
2026-02-10 0:50 ` [GIT PULL] selinux/selinux-pr-20260203 pr-tracker-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=74f395ba13926ab0391bd8714abc6036@paul-moore.com \
--to=paul@paul-moore.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=selinux@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox