Commit 8ffc7dbc authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'selinux-pr-20241112' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux 

Pull selinux updates from Paul Moore:

 - Add support for netlink xperms

   Some time ago we added the concept of "xperms" to the SELinux policy
   so that we could write policy for individual ioctls, this builds upon
   this by using extending xperms to netlink so that we can write
   SELinux policy for individual netlnk message types and not rely on
   the fairly coarse read/write mapping tables we currently have.

   There are limitations involving generic netlink due to the
   multiplexing that is done, but it's no worse that what we currently
   have. As usual, more information can be found in the commit message.

 - Deprecate /sys/fs/selinux/user

   We removed the only known userspace use of this back in 2020 and now
   that several years have elapsed we're starting down the path of
   deprecating it in the kernel.

 - Cleanup the build under scripts/selinux

   A couple of patches to move the genheaders tool under
   security/selinux and correct our usage of kernel headers in the tools
   located under scripts/selinux. While these changes originated out of
   an effort to build Linux on different systems, they are arguably the
   right thing to do regardless.

 - Minor code cleanups and style fixes

   Not much to say here, two minor cleanup patches that came out of the
   netlink xperms work

* tag 'selinux-pr-20241112' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: Deprecate /sys/fs/selinux/user
  selinux: apply clang format to security/selinux/nlmsgtab.c
  selinux: streamline selinux_nlmsg_lookup()
  selinux: Add netlink xperm support
  selinux: move genheaders to security/selinux/
  selinux: do not include <linux/*.h> headers from host programs
parents a8220b0c d7b6918e

Documentation/ABI/obsolete/sysfs-selinux-user

0 → 100644
+12 −0
Original line number Diff line number Diff line 
What:		/sys/fs/selinux/user

Date:		April 2005 (predates git)

KernelVersion:	2.6.12-rc2 (predates git)

Contact:	selinux@vger.kernel.org

Description:



	The selinuxfs "user" node allows userspace to request a list

	of security contexts that can be reached for a given SELinux

	user from a given starting context. This was used by libselinux

	when various login-style programs requested contexts for

	users, but libselinux stopped using it in 2020.

	Kernel support will be removed no sooner than Dec 2025.

scripts/remove-stale-files

+3 −0
Original line number Diff line number Diff line
@@ -20,6 +20,9 @@ set -e 
# yard. Stale files stay in this file for a while (for some release cycles?),

# then will be really dead and removed from the code base entirely.



# moved to security/selinux/genheaders

rm -f scripts/selinux/genheaders/genheaders



rm -f *.spec



rm -f lib/test_fortify.log

scripts/selinux/Makefile

+1 −1
Original line number Diff line number Diff line 
# SPDX-License-Identifier: GPL-2.0-only

subdir-y := mdp genheaders
 
subdir-y := mdp

scripts/selinux/genheaders/.gitignore

deleted100644 → 0
+0 −2
Original line number Diff line number Diff line 
# SPDX-License-Identifier: GPL-2.0-only

genheaders

scripts/selinux/genheaders/Makefile

deleted100644 → 0
+0 −5
Original line number Diff line number Diff line 
# SPDX-License-Identifier: GPL-2.0

hostprogs-always-y += genheaders

HOST_EXTRACFLAGS += \

	-I$(srctree)/include/uapi -I$(srctree)/include \

	-I$(srctree)/security/selinux/include