[GIT PULL] SELinux patches for v5.13

From: Paul Moore
Date: Mon Apr 26 2021 - 19:28:00 EST


Hi Linus,

Here is the SELinux pull request for v5.13, the highlights are below:

* Add support for measuring the SELinux state and policy capabilities using IMA.

* A handful of SELinux/NFS patches to compare the SELinux state of one
mount with a set of mount options. Olga goes into more detail in the
patch descriptions, but this is important as it allows more
flexibility when using NFS and SELinux context mounts.

* Properly differentiate between the subjective and objective LSM
credentials; including support for the SELinux and Smack. My clumsy
attempt at a proper fix for AppArmor didn't quite pass muster so John
is working on a proper AppArmor patch, in the meantime this set of
patches shouldn't change the behavior of AppArmor in any way. This
change explains the bulk of the diffstate beyond security/.

* Fix a problem where we were not properly terminating the permission
list for two SELinux object classes.

Everything has been tested against the selinux-testsuite and as of a
few moments ago the tag applies cleanly to your tree; please merge
this for v5.13.

Thanks,
-Paul

--
The following changes since commit a38fd8748464831584a19438cbb3082b5a2dab15:

Linux 5.12-rc2 (2021-03-05 17:33:41 -0800)

are available in the Git repository at:

git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
tags/selinux-pr-20210426

for you to fetch changes up to e4c82eafb609c2badc56f4e11bc50fcf44b8e9eb:

selinux: add proper NULL termination to the secclass_map permissions
(2021-04-21 21:43:25 -0400)

----------------------------------------------------------------
selinux/stable-5.13 PR 20210426

----------------------------------------------------------------
Lakshmi Ramasubramanian (1):
selinux: measure state and policy capabilities

Olga Kornievskaia (3):
lsm,selinux: add new hook to compare new mount to an existing mount
nfs: remove unneeded null check in nfs_fill_super()
nfs: account for selinux security context when deciding to share
superblock

Paul Moore (4):
lsm: separate security_task_getsecid() into subjective and objective
variants
selinux: clarify task subjective and objective credentials
smack: differentiate between subjective and objective task credentials
selinux: add proper NULL termination to the secclass_map permissions

Vivek Goyal (1):
selinux: Allow context mounts for unpriviliged overlayfs

Xiong Zhenwu (2):
selinux: fix misspellings using codespell tool
selinux: fix misspellings using codespell tool

drivers/android/binder.c | 11 ++-
fs/nfs/fs_context.c | 3 +
fs/nfs/internal.h | 1 +
fs/nfs/super.c | 6 +-
include/linux/cred.h | 2 +-
include/linux/lsm_hook_defs.h | 6 +-
include/linux/lsm_hooks.h | 18 +++-
include/linux/nfs_fs_sb.h | 1 +
include/linux/security.h | 18 +++-
kernel/audit.c | 4 +-
kernel/auditfilter.c | 3 +-
kernel/auditsc.c | 8 +-
kernel/bpf/bpf_lsm.c | 3 +-
net/netlabel/netlabel_unlabeled.c | 2 +-
net/netlabel/netlabel_user.h | 2 +-
security/apparmor/lsm.c | 3 +-
security/integrity/ima/ima_appraise.c | 2 +-
security/integrity/ima/ima_main.c | 14 +--
security/security.c | 20 +++-
security/selinux/hooks.c | 170 ++++++++++++++++++++++++------
security/selinux/ima.c | 87 +++++++++++++++-
security/selinux/include/classmap.h | 5 +-
security/selinux/include/ima.h | 6 ++
security/selinux/include/security.h | 2 +-
security/selinux/selinuxfs.c | 6 ++
security/selinux/ss/hashtab.c | 2 +-
security/selinux/ss/services.c | 2 +-
security/smack/smack.h | 18 +++-
security/smack/smack_lsm.c | 39 +++++---
29 files changed, 372 insertions(+), 92 deletions(-)

--
paul moore
www.paul-moore.com