Re: [GIT 4.9] LSM,security,selinux,smack: Backport of LSM changes

[Alexander Grund <theflamefire89@gmail.com>]

> Please just send them to us in patch form like all other stable
> submissions.

Sorry I'm new to this kernel list. I'll send 1 patch of this series in a new mail (as a test).
Please bear with me if there are any mistakes, the next ones will then be better.

>> for you to fetch changes up to 911aa0e49633be52c7a2de8c99de87b6bf3a7604:
>>
>>    LSM: Initialize security_hook_heads upon registration. (2022-07-09 12:51:42 +0200)
>>
>> All commits are cherry-picks/backports from mainline.
>> The intend was to apply the last commit ("LSM: Initialize security_hook_heads upon registration.") with as few changes as possible.
> 
> Why?

The conflicts come from added/removed/changed hooks. As noted below those changes seem to be valuable.
It is possible to apply the above commit first, but then every of the other commits will need conflict resolution.
Hence first I backported the changes to the Hooks and eventually apply that initialization change which also allows to check for
differences in the hooks between mainline and 4.9.y.

>> This revealed added/removed/changed hooks and related changes which seem valuable to have in 4.9 and via the CIP in 4.4 SLTS.
> 
> What is "CIP"?

The Civil Infrastructure Platform (CIP) e.g. maintains LTS kernel trees which are now End of Life but still used.
They call that SLTS ("Super Long Term Support") and there is e.g. a 4.4.y branch with backports from the 4.9.y LTS branch.
That kernel is e.g. used in many Android phones.
So in summary I'd like to backport changes to the security system from mainline to 4.9 from where they will be backported to 4.4 (by CIP) and from there included in Android builds still using the kernel.

>> For additional Context: I initially backported those directly to CIPs v4.4-st14 and tested those on an ARM64 Android device from SONY. [1]
> 
> I have no context or understand this, sorry :(

My bad, I forgot to include the link.
It is [2] which describes a bit more details of why I wanted the changes in a kernel tree I maintain for a SONY device.
Summary: The fix for CVE-2021-39686 benefits from the last commit (LSM: Initialize security_hook_heads upon registration) while the others enhance the security.

Thanks for your patience,
Alex

[1] https://wiki.linuxfoundation.org/civilinfrastructureplatform/start
[2] https://github.com/Flamefire/android_kernel_sony_msm8998/pull/24