[GIT PULL] selinux/selinux-pr-20251201

[GIT PULL] selinux/selinux-pr-20251201

[Paul Moore]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 3465 bytes --]

Linus,

A handful of SELinux changes for v6.19, the summary is below, but I
wanted to call out a merge conflict caused by the recent task/cred
changes sent up during the v6.18-rcX cycle.  The conflict does require
some manual intervention to resolve, but it is limited to changing
the "SECCLASS_FILE" parameter in two avc_has_perm() calls to
"isec->sclass" in selinux_bprm_creds_for_exec().  The
selinux-pr-20251201.merge tag contains an example fixup of the merge
conflict.

Here is the pull request summary:

- Improve the granularity of SELinux labeling for memfd files

  Currently when creating a memfd file, SELinux treats it the same as
  any other tmpfs, or hugetlbfs, file.  While simple, the drawback is
  that it is not possible to differentiate between memfd and tmpfs
  files.  This pull request adds a call to the
  security_inode_init_security_anon() LSM hook and wires up SELinux to
  provide a set of memfd specific access controls, including the ability
  to control the execution of memfds.
  
  As usual, the commit message has more information.

- Improve the SELinux AVC lookup performance

  Adopt the MurmurHash3 for the SELinux AVC hash function instead of
  the custom hash function currently used.  MurmurHash3 is already
  used for the SELinux access vector table so the impact to the code
  is minimal, and performance tests have shown improvements in both
  hash distribution and latency.
  
  See the commit message for the performance measurments.

- Introduce a Kconfig option for the SELinux AVC bucket/slot size

  While we have the ability to grow the number of AVC hash buckets
  today, the size of the buckets (slot size) is fixed at 512.  This
  pull request makes that slot size configurable at build time through
  a new Kconfig knob, CONFIG_SECURITY_SELINUX_AVC_HASH_BITS.

Paul

--
The following changes since commit 211ddde0823f1442e4ad052a2f30f050145ccada:

  Linux 6.18-rc2 (2025-10-19 15:19:16 -1000)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
    tags/selinux-pr-20251201

for you to fetch changes up to 20d387d7ceab95aade436c363927b3ab81b0be36:

  selinux: improve bucket distribution uniformity of avc_hash()
    (2025-10-23 18:24:30 -0400)

----------------------------------------------------------------
selinux/stable-6.19 PR 20251201
----------------------------------------------------------------

Hongru Zhang (3):
      selinux: Introduce a new config to make avc cache slot size
         adjustable
      selinux: Move avtab_hash() to a shared location for future reuse
      selinux: improve bucket distribution uniformity of avc_hash()

Thiébaud Weksteen (1):
      memfd,selinux: call security_inode_init_security_anon()

 include/linux/memfd.h                      |    2 
 mm/memfd.c                                 |   14 +++++-
 security/selinux/Kconfig                   |   11 ++++
 security/selinux/avc.c                     |    9 ++--
 security/selinux/hooks.c                   |   26 +++++++++--
 security/selinux/include/classmap.h        |    2 
 security/selinux/include/hash.h            |   47 +++++++++++++++++++++
 security/selinux/include/policycap.h       |    1 
 security/selinux/include/policycap_names.h |    1 
 security/selinux/include/security.h        |    5 ++
 security/selinux/ss/avtab.c                |   39 +----------------
 11 files changed, 110 insertions(+), 47 deletions(-)

--
paul-moore.com

Re: [GIT PULL] selinux/selinux-pr-20251201

[pr-tracker-bot]

The pull request you sent on Mon, 01 Dec 2025 21:00:42 -0500:

> https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git tags/selinux-pr-20251201

has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/51e3b98d737aa3e76e077db77b9aa749436c93ac

Thank you!

-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/prtracker.html