# git rev-parse -q --verify a430d95c5efa2b545d26a094eb5f624e36732af0^{commit} a430d95c5efa2b545d26a094eb5f624e36732af0 already have revision, skipping fetch # git checkout -q -f -B kisskb a430d95c5efa2b545d26a094eb5f624e36732af0 # git clean -qxdf # < git log -1 # commit a430d95c5efa2b545d26a094eb5f624e36732af0 # Merge: ad060dbbcfcf 19c9d55d72a9 # Author: Linus Torvalds # Date: Mon Sep 16 18:19:47 2024 +0200 # # Merge tag 'lsm-pr-20240911' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm # # Pull lsm updates from Paul Moore: # # - Move the LSM framework to static calls # # This transitions the vast majority of the LSM callbacks into static # calls. Those callbacks which haven't been converted were left as-is # due to the general ugliness of the changes required to support the # static call conversion; we can revisit those callbacks at a future # date. # # - Add the Integrity Policy Enforcement (IPE) LSM # # This adds a new LSM, Integrity Policy Enforcement (IPE). There is # plenty of documentation about IPE in this patches, so I'll refrain # from going into too much detail here, but the basic motivation behind # IPE is to provide a mechanism such that administrators can restrict # execution to only those binaries which come from integrity protected # storage, e.g. a dm-verity protected filesystem. You will notice that # IPE requires additional LSM hooks in the initramfs, dm-verity, and # fs-verity code, with the associated patches carrying ACK/review tags # from the associated maintainers. We couldn't find an obvious # maintainer for the initramfs code, but the IPE patchset has been # widely posted over several years. # # Both Deven Bowers and Fan Wu have contributed to IPE's development # over the past several years, with Fan Wu agreeing to serve as the IPE # maintainer moving forward. Once IPE is accepted into your tree, I'll # start working with Fan to ensure he has the necessary accounts, keys, # etc. so that he can start submitting IPE pull requests to you # directly during the next merge window. # # - Move the lifecycle management of the LSM blobs to the LSM framework # # Management of the LSM blobs (the LSM state buffers attached to # various kernel structs, typically via a void pointer named "security" # or similar) has been mixed, some blobs were allocated/managed by # individual LSMs, others were managed by the LSM framework itself. # # Starting with this pull we move management of all the LSM blobs, # minus the XFRM blob, into the framework itself, improving consistency # across LSMs, and reducing the amount of duplicated code across LSMs. # Due to some additional work required to migrate the XFRM blob, it has # been left as a todo item for a later date; from a practical # standpoint this omission should have little impact as only SELinux # provides a XFRM LSM implementation. # # - Fix problems with the LSM's handling of F_SETOWN # # The LSM hook for the fcntl(F_SETOWN) operation had a couple of # problems: it was racy with itself, and it was disconnected from the # associated DAC related logic in such a way that the LSM state could # be updated in cases where the DAC state would not. We fix both of # these problems by moving the security_file_set_fowner() hook into the # same section of code where the DAC attributes are updated. Not only # does this resolve the DAC/LSM synchronization issue, but as that code # block is protected by a lock, it also resolve the race condition. # # - Fix potential problems with the security_inode_free() LSM hook # # Due to use of RCU to protect inodes and the placement of the LSM hook # associated with freeing the inode, there is a bit of a challenge when # it comes to managing any LSM state associated with an inode. The VFS # folks are not open to relocating the LSM hook so we have to get # creative when it comes to releasing an inode's LSM state. # Traditionally we have used a single LSM callback within the hook that # is triggered when the inode is "marked for death", but not actually # released due to RCU. # # Unfortunately, this causes problems for LSMs which want to take an # action when the inode's associated LSM state is actually released; so # we add an additional LSM callback, inode_free_security_rcu(), that is # called when the inode's LSM state is released in the RCU free # callback. # # - Refactor two LSM hooks to better fit the LSM return value patterns # # The vast majority of the LSM hooks follow the "return 0 on success, # negative values on failure" pattern, however, there are a small # handful that have unique return value behaviors which has caused # confusion in the past and makes it difficult for the BPF verifier to # properly vet BPF LSM programs. This includes patches to # convert two of these"special" LSM hooks to the common 0/-ERRNO pattern. # # - Various cleanups and improvements # # A handful of patches to remove redundant code, better leverage the # IS_ERR_OR_NULL() helper, add missing "static" markings, and do some # minor style fixups. # # * tag 'lsm-pr-20240911' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm: (40 commits) # security: Update file_set_fowner documentation # fs: Fix file_set_fowner LSM hook inconsistencies # lsm: Use IS_ERR_OR_NULL() helper function # lsm: remove LSM_COUNT and LSM_CONFIG_COUNT # ipe: Remove duplicated include in ipe.c # lsm: replace indirect LSM hook calls with static calls # lsm: count the LSMs enabled at compile time # kernel: Add helper macros for loop unrolling # init/main.c: Initialize early LSMs after arch code, static keys and calls. # MAINTAINERS: add IPE entry with Fan Wu as maintainer # documentation: add IPE documentation # ipe: kunit test for parser # scripts: add boot policy generation program # ipe: enable support for fs-verity as a trust provider # fsverity: expose verified fsverity built-in signatures to LSMs # lsm: add security_inode_setintegrity() hook # ipe: add support for dm-verity as a trust provider # dm-verity: expose root hash digest and signature data to LSMs # block,lsm: add LSM blob and new LSM hooks for block devices # ipe: add permissive toggle # ... # < /opt/cross/kisskb/korg/gcc-13.1.0-nolibc/x86_64-linux/bin/x86_64-linux-gcc --version # < /opt/cross/kisskb/korg/gcc-13.1.0-nolibc/x86_64-linux/bin/x86_64-linux-ld --version # < git log --format=%s --max-count=1 a430d95c5efa2b545d26a094eb5f624e36732af0 # make -s -j 24 ARCH=x86_64 O=/kisskb/build/linus_allnoconfig_x86_64-gcc13 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-13.1.0-nolibc/x86_64-linux/bin/x86_64-linux- allnoconfig # < make -s -j 24 ARCH=x86_64 O=/kisskb/build/linus_allnoconfig_x86_64-gcc13 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-13.1.0-nolibc/x86_64-linux/bin/x86_64-linux- help # make -s -j 24 ARCH=x86_64 O=/kisskb/build/linus_allnoconfig_x86_64-gcc13 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-13.1.0-nolibc/x86_64-linux/bin/x86_64-linux- olddefconfig # make -s -j 24 ARCH=x86_64 O=/kisskb/build/linus_allnoconfig_x86_64-gcc13 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-13.1.0-nolibc/x86_64-linux/bin/x86_64-linux- Completed OK # rm -rf /kisskb/build/linus_allnoconfig_x86_64-gcc13 # Build took: 0:01:03.180786