linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [GIT PULL] selinux/selinux-pr-20250527
@ 2025-05-27 22:57 Paul Moore
  2025-05-28 15:41 ` pr-tracker-bot
  0 siblings, 1 reply; 2+ messages in thread
From: Paul Moore @ 2025-05-27 22:57 UTC (permalink / raw)
  To: Linus Torvalds; +Cc: selinux, linux-security-module, linux-kernel

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 3558 bytes --]

Linus,

Nine SELinux patches for the Linux v6.16 merge window:

- Reduce the SELinux impact on path walks.

  Add a small directory access cache to the per-task SELinux state.
  This cache allows SELinux to cache the most recently used directory
  access decisions in order to avoid repeatedly querying the AVC
  on path walks where the majority of the directories have similar
  security contexts/labels.  My performance measurements are crude,
  but prior to this patch the time spent in SELinux code on a
  'make allmodconfig' run was 103% that of __d_lookup_rcu(), and with
  this patch the time spent in SELinux code dropped to 63% of
  __d_lookup_rcu(), a ~40% improvement.

  Additional improvments can be expected in the future, but those will
  require additional SELinux policy/toolchain support.

- Add support for wildcards in genfscon policy statements.

  This patch allows for wildcards in the genfscon patch matching logic
  as opposed to the prefix matching that was used prior to this change.
  Adding wilcard support allows for more expressive and efficient path
  matching in the policy which is especially helpful for sysfs, and has
  resulted in a ~15% boot time reduction in Android.
  
  SELinux policies can opt into wilcard matching by using the
  "genfs_seclabel_wildcard" policy capability.

- Unify the error/OOM handling of the SELinux network caches.

  A failure to allocate memory for the SELinux network caches isn't
  fatal as the object label can still be safely returned to the caller,
  it simply means that we cannot add the new data to the cache, at least
  temporarily.  This patch corrects this behavior for the InfiniBand
  cache and does some minor cleanup.

- Minor improvements around constification, 'likely' annotations, and
  removal of bogus comments.

Paul

--
The following changes since commit 0af2f6be1b4281385b618cb86ad946eded089ac8:

  Linux 6.15-rc1 (2025-04-06 13:11:33 -0700)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
    tags/selinux-pr-20250527

for you to fetch changes up to 05f1a939225ec895a97a6b2f1cf64e329b6474f5:

  selinux: fix the kdoc header for task_avdcache_update
    (2025-04-12 11:37:06 -0400)

----------------------------------------------------------------
selinux-pr-20250527
----------------------------------------------------------------

Christian Göttsche (5):
      selinux: constify network address pointer
      selinux: contify network namespace pointer
      selinux: add likely hints for fast paths
      selinux: unify OOM handling in network hashtables
      selinux: drop copy-paste comment

Paul Moore (3):
      selinux: reduce path walk overhead
      selinux: remove a duplicated include
      selinux: fix the kdoc header for task_avdcache_update

Takaya Saeki (1):
      selinux: support wildcard match in genfscon

 security/selinux/hooks.c                   |  225 +++++++++++++++------
 security/selinux/ibpkey.c                  |   13 -
 security/selinux/include/netnode.h         |    2 
 security/selinux/include/objsec.h          |   16 +
 security/selinux/include/policycap.h       |    1 
 security/selinux/include/policycap_names.h |    1 
 security/selinux/include/security.h        |    2 
 security/selinux/netif.c                   |    6 
 security/selinux/netnode.c                 |   15 -
 security/selinux/netport.c                 |   14 -
 security/selinux/ss/services.c             |   22 +-
 11 files changed, 232 insertions(+), 85 deletions(-)

--
paul-moore.com

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [GIT PULL] selinux/selinux-pr-20250527
  2025-05-27 22:57 [GIT PULL] selinux/selinux-pr-20250527 Paul Moore
@ 2025-05-28 15:41 ` pr-tracker-bot
  0 siblings, 0 replies; 2+ messages in thread
From: pr-tracker-bot @ 2025-05-28 15:41 UTC (permalink / raw)
  To: Paul Moore; +Cc: Linus Torvalds, selinux, linux-security-module, linux-kernel

The pull request you sent on Tue, 27 May 2025 18:57:40 -0400:

> https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git tags/selinux-pr-20250527

has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/b5628b81bd19fa52d6a35e49336c58d7188eaf1b

Thank you!

-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/prtracker.html

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-05-28 15:40 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-05-27 22:57 [GIT PULL] selinux/selinux-pr-20250527 Paul Moore
2025-05-28 15:41 ` pr-tracker-bot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).