Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v5.11 2020-12-24T22:08:43Z 2020-12-24T22:08:43Z Linus Torvalds torvalds@linux-foundation.org 2020-12-24T22:08:43Z urn:sha1:2f2fce3d535779cb1b0d77ce839029d5d875d4f4 Pull smack fix from Casey Schaufler: "Provide a fix for the incorrect handling of privilege in the face of io_uring's use of kernel threads. That invalidated an long standing assumption regarding the privilege of kernel threads. The fix is simple and safe. It was provided by Jens Axboe and has been tested" * tag 'Smack-for-5.11-io_uring-fix' of git://github.com/cschaufler/smack-next: Smack: Handle io_uring kernel thread privileges 2020-12-22T23:34:24Z Casey Schaufler casey@schaufler-ca.com 2020-12-22T23:34:24Z urn:sha1:942cb357ae7d9249088e3687ee6a00ed2745a0c7 Smack assumes that kernel threads are privileged for smackfs operations. This was necessary because the credential of the kernel thread was not related to a user operation. With io_uring the credential does reflect a user's rights and can be used. Suggested-by: Jens Axboe <axboe@kernel.dk> Acked-by: Jens Axboe <axboe@kernel.dk> Acked-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2020-12-16T19:11:58Z Linus Torvalds torvalds@linux-foundation.org 2020-12-16T19:11:58Z urn:sha1:8bda68d68b21cb9881dcc7159fd9db1b6f95ac15 Pull smack updates from Casey Schaufler: "There are no functional changes. Just one minor code clean-up and a set of corrections in function header comments" * tag 'Smack-for-5.11' of git://github.com/cschaufler/smack-next: security/smack: remove unused varible 'rc' Smack: fix kernel-doc interface on functions 2020-12-03T20:56:03Z Florian Westphal fw@strlen.de 2020-11-30T15:36:29Z urn:sha1:41dd9596d6b239a125c3d19f9d0ca90bdbfbf876 A followup change to tcp_request_sock_op would have to drop the 'const' qualifier from the 'route_req' function as the 'security_inet_conn_request' call is moved there - and that function expects a 'struct sock *'. However, it turns out its also possible to add a const qualifier to security_inet_conn_request instead. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: James Morris <jamorris@linux.microsoft.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2020-11-17T01:26:31Z Alex Shi alex.shi@linux.alibaba.com 2020-11-08T06:45:42Z urn:sha1:9b0072e2b2b588ad75c94f2c6e6c52c8f4bd2657 This varible isn't used and can be removed to avoid a gcc warning: security/smack/smack_lsm.c:3873:6: warning: variable ‘rc’ set but not used [-Wunused-but-set-variable] Signed-off-by: Alex Shi <alex.shi@linux.alibaba.com> Cc: Casey Schaufler <casey@schaufler-ca.com> Cc: James Morris <jmorris@namei.org> Cc: "Serge E. Hallyn" <serge@hallyn.com> Cc: linux-security-module@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2020-11-13T19:50:44Z Alex Shi alex.shi@linux.alibaba.com 2020-11-13T07:26:59Z urn:sha1:7da31b858ec278f90603506ce7fa7eed3c53c8d7 The are some kernel-doc interface issues: security/smack/smackfs.c:1950: warning: Function parameter or member 'list' not described in 'smk_parse_label_list' security/smack/smackfs.c:1950: warning: Excess function parameter 'private' description in 'smk_parse_label_list' security/smack/smackfs.c:1979: warning: Function parameter or member 'list' not described in 'smk_destroy_label_list' security/smack/smackfs.c:1979: warning: Excess function parameter 'head' description in 'smk_destroy_label_list' security/smack/smackfs.c:2141: warning: Function parameter or member 'count' not described in 'smk_read_logging' security/smack/smackfs.c:2141: warning: Excess function parameter 'cn' description in 'smk_read_logging' security/smack/smackfs.c:2278: warning: Function parameter or member 'format' not described in 'smk_user_access' Correct them in this patch. Signed-off-by: Alex Shi <alex.shi@linux.alibaba.com> Cc: Casey Schaufler <casey@schaufler-ca.com> Cc: James Morris <jmorris@namei.org> Cc: "Serge E. Hallyn" <serge@hallyn.com> Cc: linux-security-module@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2020-10-13T23:18:51Z Linus Torvalds torvalds@linux-foundation.org 2020-10-13T23:18:51Z urn:sha1:99a6740f88e9438cd220096d3d96eb6ba8d5c6f0 Pull smack updates from Casey Schaufler: "Two minor fixes and one performance enhancement to Smack. The performance improvement is significant and the new code is more like its counterpart in SELinux. - Two kernel test robot suggested clean-ups. - Teach Smack to use the IPv4 netlabel cache. This results in a 12-14% improvement on TCP benchmarks" * tag 'Smack-for-5.10' of git://github.com/cschaufler/smack-next: Smack: Remove unnecessary variable initialization Smack: Fix build when NETWORK_SECMARK is not set Smack: Use the netlabel cache Smack: Set socket labels only once Smack: Consolidate uses of secmark into a function 2020-10-05T21:20:51Z Casey Schaufler casey@schaufler-ca.com 2020-10-05T21:20:51Z urn:sha1:edd615371b668404d06699c04f5f90c4f438814a The initialization of rc in smack_from_netlbl() is pointless. Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2020-09-22T21:59:31Z Casey Schaufler casey@schaufler-ca.com 2020-09-22T21:59:31Z urn:sha1:bf0afe673b999439b6a53c75727821795ccb27e2 Use proper conditional compilation for the secmark field in the network skb. Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2020-09-11T22:31:31Z Casey Schaufler casey@schaufler-ca.com 2020-08-12T00:39:43Z urn:sha1:322dd63c7f98315b5794653bc582d109841219ae Utilize the Netlabel cache mechanism for incoming packet matching. Refactor the initialization of secattr structures, as it was being done in two places. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>