Commit 72eaa096 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'selinux-pr-20230420' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux 

Pull selinux updates from Paul Moore:

 - Stop passing the 'selinux_state' pointers as function arguments

   As discussed during the end of the last development cycle, passing a
   selinux_state pointer through the SELinux code has a noticeable
   impact on performance, and with the current code it is not strictly
   necessary.

   This simplifies things by referring directly to the single
   selinux_state global variable which should help improve SELinux
   performance.

 - Uninline the unlikely portions of avc_has_perm_noaudit()

   This change was also based on a discussion from the last development
   cycle, and is heavily based on an initial proof of concept patch from
   you. The core issue was that avc_has_perm_noaudit() was not able to
   be inlined, as intended, due to its size. We solved this issue by
   extracting the less frequently hit portions of avc_has_perm_noaudit()
   into a separate function, reducing the size of avc_has_perm_noaudit()
   to the point where the compiler began inlining the function. We also
   took the opportunity to clean up some ugly RCU locking in the code
   that became uglier with the change.

 - Remove the runtime disable functionality

   After several years of work by the userspace and distro folks, we are
   finally in a place where we feel comfortable removing the runtime
   disable functionality which we initially deprecated at the start of
   2020.

   There is plenty of information in the kernel's deprecation (now
   removal) notice, but the main motivation was to be able to safely
   mark the LSM hook structures as '__ro_after_init'.

   LWN also wrote a good summary of the deprecation this morning which
   offers a more detailed history:

        https://lwn.net/SubscriberLink/927463/dcfa0d4ed2872f03

 - Remove the checkreqprot functionality

   The original checkreqprot deprecation notice stated that the removal
   would happen no sooner than June 2021, which means this falls hard
   into the "better late than never" bucket.

   The Kconfig and deprecation notice has more detail on this setting,
   but the basic idea is that we want to ensure that the SELinux policy
   allows for the memory protections actually applied by the kernel, and
   not those requested by the process.

   While we haven't found anyone running a supported distro that is
   affected by this deprecation/removal, anyone who is affected would
   only need to update their policy to reflect the reality of their
   applications' mapping protections.

 - Minor Makefile improvements

   Some minor Makefile improvements to correct some dependency issues
   likely only ever seen by SELinux developers. I expect we will have at
   least one more tweak to the Makefile during the next merge window,
   but it didn't quite make the cutoff this time around.

* tag 'selinux-pr-20230420' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: ensure av_permissions.h is built when needed
  selinux: fix Makefile dependencies of flask.h
  selinux: stop returning node from avc_insert()
  selinux: clean up dead code after removing runtime disable
  selinux: update the file list in MAINTAINERS
  selinux: remove the runtime disable functionality
  selinux: remove the 'checkreqprot' functionality
  selinux: stop passing selinux_state pointers and their offspring
  selinux: uninline unlikely parts of avc_has_perm_noaudit()
parents a5624566 4ce1f694

Documentation/ABI/obsolete/sysfs-selinux-checkreqprotDocumentation/ABI/removed/sysfs-selinux-checkreqprot

+3 −0
Original line number Diff line number Diff line
@@ -4,6 +4,9 @@ KernelVersion: 2.6.12-rc2 (predates git) 
Contact:	selinux@vger.kernel.org

Description:



	REMOVAL UPDATE: The SELinux checkreqprot functionality was removed in

	March 2023, the original deprecation notice is shown below.



	The selinuxfs "checkreqprot" node allows SELinux to be configured

	to check the protection requested by userspace for mmap/mprotect

	calls instead of the actual protection applied by the kernel.

Documentation/ABI/obsolete/sysfs-selinux-disableDocumentation/ABI/removed/sysfs-selinux-disable

+3 −0
Original line number Diff line number Diff line
@@ -4,6 +4,9 @@ KernelVersion: 2.6.12-rc2 (predates git) 
Contact:	selinux@vger.kernel.org

Description:



	REMOVAL UPDATE: The SELinux runtime disable functionality was removed

	in March 2023, the original deprecation notice is shown below.



	The selinuxfs "disable" node allows SELinux to be disabled at runtime

	prior to a policy being loaded into the kernel.  If disabled via this

	mechanism, SELinux will remain disabled until the system is rebooted.

MAINTAINERS

+2 −2
Original line number Diff line number Diff line
@@ -18822,8 +18822,8 @@ S: Supported 
W:	https://selinuxproject.org

W:	https://github.com/SELinuxProject

T:	git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git

F:	Documentation/ABI/obsolete/sysfs-selinux-checkreqprot

F:	Documentation/ABI/obsolete/sysfs-selinux-disable

F:	Documentation/ABI/removed/sysfs-selinux-checkreqprot

F:	Documentation/ABI/removed/sysfs-selinux-disable

F:	Documentation/admin-guide/LSM/SELinux.rst

F:	include/trace/events/avc.h

F:	include/uapi/linux/selinux_netlink.h

include/linux/lsm_hooks.h

+0 −30
Original line number Diff line number Diff line
@@ -1740,36 +1740,6 @@ extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[]; 
		__used __section(".early_lsm_info.init")		\

		__aligned(sizeof(unsigned long))



#ifdef CONFIG_SECURITY_SELINUX_DISABLE

/*

 * Assuring the safety of deleting a security module is up to

 * the security module involved. This may entail ordering the

 * module's hook list in a particular way, refusing to disable

 * the module once a policy is loaded or any number of other

 * actions better imagined than described.

 *

 * The name of the configuration option reflects the only module

 * that currently uses the mechanism. Any developer who thinks

 * disabling their module is a good idea needs to be at least as

 * careful as the SELinux team.

 */

static inline void security_delete_hooks(struct security_hook_list *hooks,

						int count)

{

	int i;



	for (i = 0; i < count; i++)

		hlist_del_rcu(&hooks[i].list);

}

#endif /* CONFIG_SECURITY_SELINUX_DISABLE */



/* Currently required to handle SELinux runtime hook disable. */

#ifdef CONFIG_SECURITY_WRITABLE_HOOKS

#define __lsm_ro_after_init

#else

#define __lsm_ro_after_init	__ro_after_init

#endif /* CONFIG_SECURITY_WRITABLE_HOOKS */



extern int lsm_inode_alloc(struct inode *inode);



#endif /* ! __LINUX_LSM_HOOKS_H */

security/Kconfig

+0 −5
Original line number Diff line number Diff line
@@ -32,11 +32,6 @@ config SECURITY 


	  If you are unsure how to answer this question, answer N.



config SECURITY_WRITABLE_HOOKS

	depends on SECURITY

	bool

	default n



config SECURITYFS

	bool "Enable the securityfs filesystem"

	help