From: Paul Moore <paul@paul-moore.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: selinux@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [GIT PULL] selinux/selinux-pr-20250323
Date: Sun, 23 Mar 2025 15:39:46 -0400 [thread overview]
Message-ID: <d0ade43454dee9c00689f03e8d9bd32a@paul-moore.com> (raw)
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 3181 bytes --]
Linus,
Here is the SELinux pull request for the Linux v6.15 merge window, the
highlights are below:
- Add additional SELinux access controls for kernel file reads/loads
The SELinux kernel file read/load access controls were never updated
beyond the initial kernel module support, this pull request adds
support for firmware, kexec, policies, and x.509 certificates.
- Add support for wildcards in network interface names
There are a number of userspace tools which auto-generate network
interface names using some pattern of <XXXX>-<NN> where <XXXX> is
a fixed string, e.g. "podman", and <NN> is a increasing counter.
Supporting wildcards in the SELinux policy for network interfaces
simplifies the policy associted with these interfaces.
- Fix a potential problem in the kernel read file SELinux code
SELinux should always check the file label in the
security_kernel_read_file() LSM hook, regardless of if the file is
being read in chunks. Unfortunately, the existing code only
considered the file label on the first chunk; this pull request
fixes this problem.
There is more detail in the individual commit, but thankfully the
existing code didn't expose a bug due to multi-stage reads only
taking place in one driver, and that driver loading a file type
that isn't targeted by the SELinux policy.
- Fix the subshell error handling in the example policy loader
Minor fix to SELinux example policy loader in scripts/selinux due
to an undesired interaction with subshells and errexit.
Please merge,
-Paul
--
The following changes since commit 2014c95afecee3e76ca4a56956a936e23283f05b:
Linux 6.14-rc1 (2025-02-02 15:39:26 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
tags/selinux-pr-20250323
for you to fetch changes up to a3d3043ef24ac750f05a164e48f3d0833ebf0252:
selinux: get netif_wildcard policycap from policy instead of cache
(2025-03-17 16:22:04 -0400)
----------------------------------------------------------------
selinux/stable-6.15 PR 20250323
----------------------------------------------------------------
"Kipp N. Davis" (1):
selinux: add permission checks for loading other kinds of kernel
files
Christian Göttsche (2):
selinux: support wildcard network interface names
selinux: get netif_wildcard policycap from policy instead of cache
Paul Moore (1):
selinux: always check the file label in selinux_kernel_read_file()
Tanya Agarwal (1):
selinux: fix spelling error
Tim Schumacher (1):
selinux: Chain up tool resolving errors in install_policy.sh
scripts/selinux/install_policy.sh | 15 ++---
security/selinux/avc.c | 2
security/selinux/hooks.c | 58 +++++++++++++++++----
security/selinux/include/classmap.h | 4 +
security/selinux/include/policycap.h | 1
security/selinux/include/policycap_names.h | 1
security/selinux/include/security.h | 8 ++
security/selinux/ss/services.c | 15 ++++-
8 files changed, 79 insertions(+), 25 deletions(-)
--
paul-moore.com
next reply other threads:[~2025-03-23 19:39 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-23 19:39 Paul Moore [this message]
2025-03-25 23:02 ` [GIT PULL] selinux/selinux-pr-20250323 Linus Torvalds
2025-03-26 18:36 ` Paul Moore
2025-03-26 19:40 ` Linus Torvalds
2025-03-26 20:48 ` Paul Moore
2025-03-26 21:06 ` Linus Torvalds
2025-03-26 23:02 ` Paul Moore
2025-03-27 0:43 ` Linus Torvalds
2025-03-27 1:06 ` Thiébaud Weksteen
2025-03-27 1:20 ` Linus Torvalds
2025-03-27 3:27 ` Thiébaud Weksteen
2025-03-27 4:09 ` Linus Torvalds
2025-03-27 8:59 ` Jeffrey Vander Stoep
2025-03-27 15:49 ` Linus Torvalds
2025-03-27 16:55 ` Stephen Smalley
2025-03-27 18:15 ` Linus Torvalds
2025-03-27 19:03 ` Linus Torvalds
2025-03-27 19:16 ` Stephen Smalley
2025-03-27 19:40 ` Linus Torvalds
2025-03-28 13:23 ` Stephen Smalley
2025-03-28 15:06 ` Paul Moore
2025-04-02 20:38 ` Paul Moore
2025-03-28 16:36 ` Linus Torvalds
2025-03-28 17:24 ` Casey Schaufler
2025-03-27 16:41 ` Casey Schaufler
2025-03-25 23:17 ` pr-tracker-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d0ade43454dee9c00689f03e8d9bd32a@paul-moore.com \
--to=paul@paul-moore.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=selinux@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).