summaryrefslogtreecommitdiff
path: root/security
AgeCommit message (Collapse)Author
18 hoursMerge branch 'next' of ↵Mark Brown
https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git
18 hoursMerge branch 'master' of git://git.code.sf.net/p/tomoyo/tomoyo.gitMark Brown
18 hoursMerge branch 'next' of https://github.com/cschaufler/smack-nextMark Brown
18 hoursMerge branch 'next' of ↵Mark Brown
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
18 hoursMerge branch 'apparmor-next' of ↵Mark Brown
https://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor
18 hoursMerge branch 'next' of ↵Mark Brown
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git
4 dayslandlock: Fix kernel-doc for the nested quiet layer flagMickaël Salaün
kernel-doc emits "Excess struct member 'quiet' description in 'landlock_layer'" because "quiet" is a bitfield inside the named nested struct "flags", but its inline comment used the bare member name "@quiet:", which kernel-doc attributes to the enclosing landlock_layer. Use the canonical dotted notation "@flags.quiet:" so kernel-doc resolves the nested member, and include it in the generated documentation. Cc: Justin Suess <utilityemal77@gmail.com> Cc: Tingmao Wang <m@maowtm.org> Fixes: a260c0055665 ("landlock: Add a place for flags to layer rules") Link: https://patch.msgid.link/20260703141711.2016964-1-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
5 dayslsm: clarify security_task_prctl() hook documentationBill Roberts
The task_prctl hook comment incorrectly described the hook as checking whether a prctl operation is allowed. In reality, the hook exists for LSMs to handle LSM-specific prctl operations. Update the function description and kernel-doc comment to reflect the actual behavior. The old wording appears to have been copied from other permission-check hooks despite differing semantics. Signed-off-by: Bill Roberts <bill.roberts@arm.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Serge Hallyn <serge@hallyn.com> [PM: subj tweak, comment tweak -> "prctl to prctl()" ] Signed-off-by: Paul Moore <paul@paul-moore.com>
5 daysAutomated merge of 'dev' into 'next'Paul Moore
* dev: selinux: tighten type validation during policy load selinux: drop unnecessary goto and label from avc_alloc_node() selinux: convert int flags to bool flags in ss/services.c selinux: clean up selinuxfs resources on init failure selinux: hooks: use kmalloc() to allocate path buffer
5 daysselinux: tighten type validation during policy loadStephen Smalley
Tighten type validation during policy load to improve robustness in the face of ill-formed policies. Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
5 dayslandlock: Fix TCP Fast Open connection bypassMatthieu Buffet
The documentation of the socket_connect() LSM hook states that it controls connecting a socket to a remote address. It has not been the case since the addition of TCP Fast Open (RFC 7413) support, which allows opening a TCP connection (thus, setting a socket's destination address) via the MSG_FASTOPEN flag passed to sendto()/sendmsg()/sendmmsg(). The problem then got duplicated into MPTCP. Landlock did not take it into account when its TCP support was added, leaving a bypass of TCP connect policy. Ideally a call to the LSM hook would be added in the fastopen code path, in order to fix this generically. But connect() hooks are designed to run with the socket locked, unlike sendmsg() hooks. Closes: https://github.com/landlock-lsm/linux/issues/41 Fixes: fff69fb03dde ("landlock: Support network rules with TCP bind and connect") Signed-off-by: Matthieu Buffet <matthieu@buffet.re> Link: https://patch.msgid.link/20260701214628.33319-1-matthieu@buffet.re [mic: Wrap commit message] Signed-off-by: Mickaël Salaün <mic@digikod.net>
5 daysapparmor: temporarily disable in syzbot kernels.Tetsuo Handa
This change is not for upstream. This change is for linux-next only. This is a workaround until the following build failure is fixed. security/apparmor/apparmorfs.c:486:12: warning: 'decompress_zstd' used but never defined Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
5 daysselinux: avoid sk_socket dereference in selinux_sctp_bind_connect()Tristan Madani
selinux_sctp_bind_connect() dereferences sk->sk_socket to pass a struct socket * to selinux_socket_bind() and selinux_socket_connect_helper(). However, when the hook is invoked from the ASCONF softirq path (sctp_process_asconf), there is no file reference guaranteeing that sk->sk_socket is non-NULL. The setsockopt callers (bindx, connectx, set_primary, sendmsg connect) hold a file reference and are not affected. Both selinux_socket_bind() and selinux_socket_connect_helper() immediately resolve sock->sk, never using the struct socket * for anything else. Refactor the inner logic into helpers that take a struct sock * directly so that selinux_sctp_bind_connect() never needs to touch sk->sk_socket at all. Cc: stable@vger.kernel.org Fixes: d452930fd3b9 ("selinux: Add SCTP support") Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Tristan Madani <tristan@talencesecurity.com> Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com> Tested-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
5 daysselinux: drop unnecessary goto and label from avc_alloc_node()Kalevi Kolttonen
Since avc_alloc_node() doesn't need to perform any cleanup on its exit paths, there is no benefit to keeping the out label and goto statement. Drop it. Signed-off-by: Kalevi Kolttonen <kalevi@kolttonen.fi> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
5 daysselinux: convert int flags to bool flags in ss/services.cKalevi Kolttonen
Update security_sid_to_context_core(), security_context_to_sid_core(), and their callers to pass boolean flags via bool rather than int. No functional change. Signed-off-by: Kalevi Kolttonen <kalevi@kolttonen.fi> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> [PM: minor subject and description tweaks] Signed-off-by: Paul Moore <paul@paul-moore.com>
5 daysselinux: clean up selinuxfs resources on init failureHaoxiang Li
init_sel_fs() creates the selinuxfs mount point and registers the filesystem before mounting selinuxfs internally. If kern_mount() or the subsequent lookup of the null file fails, the function returns without undoing the resources that were already registered. Add the missing error unwinding so the internal mount, filesystem registration, and sysfs mount point are released as appropriate. Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
5 daysselinux: check connect-related permissions on TCP Fast OpenStephen Smalley
Similar to Landlock, SELinux was not updated when TCP Fast Open support was introduced to ensure connect-related permissions are checked when using TCP Fast Open. Update its socket_sendmsg() hook to call selinux_socket_connect() when MSG_FASTOPEN is passed. Cc: stable@vger.kernel.org Link: https://lore.kernel.org/linux-security-module/20260616201615.275032-1-hexlabsecurity@proton.me/ Link: https://lore.kernel.org/linux-security-module/20260617180526.15627-2-matthieu@buffet.re/ Reported-by: Bryam Vargas <hexlabsecurity@proton.me> Reported-by: Matthieu Buffet <matthieu@buffet.re> Reported-by: Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com> Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> Tested-by: Bryam Vargas <hexlabsecurity@proton.me> Signed-off-by: Paul Moore <paul@paul-moore.com>
6 daysselinux: hooks: use kmalloc() to allocate path bufferMike Rapoport (Microsoft)
selinux_genfs_get_sid() allocates memory for a path with __get_free_page(). Such usage does not require a "page" and the size of the buffer should actually be PATH_MAX which may be less than PAGE_SIZE on some architectures. Replace __get_free_page() for allocation of a path buffer with kmalloc() and make it explicit that the buffer size is PATH_MAX. Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
7 daysbpf: Reject BPF_MAP_TYPE_INODE_STORAGE creation if BPF LSM is uninitializedMatt Bobrowski
When CONFIG_BPF_LSM=y is set, BPF inode storage maps (BPF_MAP_TYPE_INODE_STORAGE) are compiled into the kernel. However, if the BPF LSM is not explicitly enabled at boot time (e.g. omitted from the "lsm=" boot parameter), lsm_prepare() is never executed for the BPF LSM. Consequently, the BPF inode security blob offset (bpf_lsm_blob_sizes.lbs_inode) is never initialized and remains at its default compiled size of 8 bytes instead of being updated to a valid offset past the reserved struct rcu_head (typically 16 bytes or more). When a privileged user creates and updates a BPF_MAP_TYPE_INODE_STORAGE map, bpf_inode() evaluates inode->i_security + 8. This erroneously aliases the struct rcu_head.func callback pointer at the beginning of the inode->i_security blob. During subsequent map element cleanup or inode destruction, writing NULL to owner_storage clears the queued RCU callback pointer. When rcu_do_batch() later executes the queued callback, it attempts an instruction fetch at address 0x0, triggering an immediate kernel panic. Fix this by introducing a global bpf_lsm_initialized boolean flag marked with __ro_after_init. Set this flag to true inside bpf_lsm_init() when the LSM framework successfully registers the BPF LSM. Gate map allocation in inode_storage_map_alloc() on this flag, returning -EOPNOTSUPP if the BPF LSM is in turn uninitialized. This fail-fast approach prevents userspace from allocating inode storage maps when the supporting BPF LSM infrastructure is absent, avoiding zombie map states. Fixes: 8ea636848aca ("bpf: Implement bpf_local_storage for inodes") Reported-by: oxsignal <awo@kakao.com> Signed-off-by: Matt Bobrowski <mattbobrowski@google.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Reviewed-by: Amery Hung <ameryhung@gmail.com> Link: https://lore.kernel.org/bpf/20260628201103.3624525-1-mattbobrowski@google.com
8 daysapparmor: fix alternate loaders ability to load compressed policyJohn Johansen
When policy is compressed it is given a header in userspace. The parser knows to strip this header, but alternate profile loaders like aa-load and systemd have not been updated so that they know to strip the header. This allows those loaders to just load the binary file without having to be updated. Fixes: 17b5758bf35c7 ("apparmor: Initial support for compressed policies") Signed-off-by: John Johansen <john.johansen@canonical.com>
8 daysapparmor: Initial support for compressed policiesMaxime Bélair
This patch allows policies to be compressed in userspace and be sent to the kernel through the existing ".load" and ".replace" kernel interfaces. The benefits of this approach are: - Save kernel time when loading policies - Allow userspace to provide a higher level of compression than the one provided by the kernel (ZSTD_CLEVEL_DEFAULT), thus saving space. - Allow small embedded systems to only store the compressed version of policies in userspace, saving memory. Userspace-compressed policies improve system time by up to ~30% for big profiles. Signed-off-by: Maxime Bélair <maxime.belair@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
8 daysapparmor: make include headers self-containedRyan Lee
Besides of resolving clangd IDE warnings, self-contained headers will be less likely to break if the surrounding includes in .c files using them change. Signed-off-by: Ryan Lee <ryan.lee@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
8 daysapparmor: fix net.h and policy.h circular include patternRyan Lee
While the #ifdef guards prevent the circular include from blowing up, policy.h does not actually need anything from net.h. Remove, that include and instead include net.h in the other files that need it. Signed-off-by: Ryan Lee <ryan.lee@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
13 daysMerge tag 'apparmor-pr-2026-06-22' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor Pull apparmor updates from John Johansen: "Another round of bug fixing and some code cleanups, there are no new features. The biggest thing to note is Georgia is being added to help co-maintain apparmor. Cleanups: - replace get_zeroed_page() with kzalloc() - remove unnecessary goto and associated label - change fn_label_build() to return err on failure instead of NULL or err - free rawdata as soon as possible - use explicit instead of implicit flex array in rawdata_f_data - use __label_make_stale in __aa_proxy_redirect - return correct error by propagate -ENOMEM correctly in unpack_table - aa_label_alloc use aa_label_free on alloc failure - add a conditional version of get_newest_label Bug Fixes: - mediate the implicit connect of TCP fast open sendmsg - fix C23ism of label immediately before a declaration - fix kernel-doc warnings - fix spelling mistakes - fix use-after-free in rawdata dedup loop - Fix inverted comparison in cache_hold_inc() - fix uninitialized pointer passed to audit_log_untrustedstring() - don't audit files pointing to aa_null.dentry - put secmark label after secid lookup - fix aa_getprocattr free procattr leak on format failure - release exe file resources on path failure - fail policy unpack on accept2 allocation failure - Fix return in ns_mkdir_op - remove or add symlinks to rawdata according to export_binary - fix NULL pointer dereference in unpack_pdb - fix potential UAF in aa_replace_profiles - grab ns lock and refresh when looking up changehat child profiles - enable differential encoding - check label build before no_new_privs test - conditionally compile get_loaddata_common_ref() - fix unix socket mediation cache update, and leak" * tag 'apparmor-pr-2026-06-22' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: (35 commits) apparmor: advertise the tcp fast open fix is applied apparmor: mediate the implicit connect of TCP fast open sendmsg apparmor: fix label can not be immediately before a declaration apparmor: fix kernel-doc warnings apparmor: replace get_zeroed_page() with kzalloc() security: apparmor: fix two spelling mistakes apparmor: fix use-after-free in rawdata dedup loop apparmor: Fix inverted comparison in cache_hold_inc() apparmor: fix uninitialised pointer passed to audit_log_untrustedstring() apparmor: don't audit files pointing to aa_null.dentry apparmor: put secmark label after secid lookup apparmor: aa_getprocattr free procattr leak on format failure apparmor: remove unnecessary goto and associated label apparmor: release exe file resources on path failure apparmor: fail policy unpack on accept2 allocation failure apparmor: Fix return in ns_mkdir_op apparmor: remove or add symlinks to rawdata according to export_binary apparmor: fix NULL pointer dereference in unpack_pdb apparmor: make fn_label_build() capable of handling not supported apparmor: change fn_label_build() call to not return NULL ...
13 daysapparmor: advertise the tcp fast open fix is appliedJohn Johansen
The fix for tcp-fast-open ensures that the connect permission is being mediated correctly but it didn't add an artifact to the feature set to advertise the fix is available. Add an artifact so that the test suite can identify if the fix has not been properly applied or a new unexpected regression has occurred. Fixes: 4d587cd8a7215 ("apparmor: mediate the implicit connect of TCP fast open sendmsg") Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-06-23apparmor: mediate the implicit connect of TCP fast open sendmsgBryam Vargas
sendmsg()/sendto() with MSG_FASTOPEN is a combination of connect(2) and write(2): it opens the connection in the SYN. apparmor_socket_sendmsg() only checks AA_MAY_SEND, so a profile that grants send but denies connect lets a confined task open an outbound TCP/MPTCP connection that connect(2) would have refused, bypassing connect mediation. Mediate the implicit connect when MSG_FASTOPEN is set and a destination is supplied. Add it to apparmor_socket_sendmsg() (not the shared aa_sock_msg_perm() helper, which recvmsg also uses) and call aa_sk_perm() directly, mirroring the selinux and tomoyo fixes. sk_is_tcp() does not cover MPTCP fast open, so the SOCK_STREAM/IPPROTO_MPTCP arm is explicit. Fixes: cf60af03ca4e ("net-tcp: Fast Open client - sendmsg(MSG_FASTOPEN)") Cc: stable@vger.kernel.org Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me> Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-06-22smack: restrict smackfs/{direct,mapped} values to 0-255Konstantin Andreev
Both smackfs/direct and smackfs/mapped incorrectly accept the full range of integer values. For example: # cd /sys/fs/smackfs/ # cat direct ; echo 250 # cat cipso2 @ 250/2 _ 250/2,4,5,6,7,8 * 250/3,5,7 ^ 250/2,4,5,6,7 ? 250/3,4,5,6,7,8 # echo -1234 >direct ; cat direct ; echo -1234 # cat cipso2 @ -1234/2 _ -1234/2,4,5,6,7,8 * -1234/3,5,7 ^ -1234/2,4,5,6,7 ? -1234/3,4,5,6,7,8 # I noticed two things regarding this: 1) sensitivity levels are truncated to 8 bits when labeling outgoing packets (0x2e = 46 for the -1234 example above) 2) the reverse process fails: incoming packets with sensitivity level 46 do not match these smackfs/cipso2 entries. Even observation (1) on its own warrants a fix. This patch restricts smackfs/direct and smackfs/mapped accepted values to the 0-255 range. Fixes: e114e473771c ("Smack: Simplified Mandatory Access Control Kernel") Signed-off-by: Konstantin Andreev <andreev@swemel.ru> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2026-06-22smack: deduplicate smackfs/{direct,mapped} file_operationsKonstantin Andreev
The file_operations for smackfs/direct and smackfs/mapped are identical up to a textual replacement of "direct" with "mapped" This patch combines two instances of file_operations into one, handling both files. Fixes: f7112e6c9abf ("Smack: allow for significantly longer Smack labels v4") Signed-off-by: Konstantin Andreev <andreev@swemel.ru> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2026-06-22smack: show msgrcv() subject task in auditKonstantin Andreev
When a task msgrcv()'es some message the SMACK audit log message looks like: fn=smk_tskacc_msq action=denied subject="bar" object="foo" requested=rw pid=456 comm="mrcv" ipc_key=2 fn=smk_tskacc_msq action=granted subject="bar" object="foo" requested=rw pid=519 comm="mrcv" ipc_key=2 where pid= is a pid of a “current” task which calls smk_tskacc_msq(). Usually, the caller of smk_tskacc_msq() is also a subject task which determines its own permission. In the example above the 'mrcv' process has label 'bar' and wants "rw" for label "foo". However, when sender task delivers message using ipc/msg.c`pipelined_send(): ` security_msg_queue_msgrcv(,, msr->r_tsk,,) ` smp_store_release(&msr->r_msg, msg) “current” task and “subject” task differ, and the “subject” task is missed from the audit message. This patch adds two fields, subj_pid and subj_comm, into the audit message: fn=smk_tskacc_msq action=granted subject="bar" object="foo" requested=rw subj_pid=564 subj_comm="mrcv" pid=577 comm="msnd" ipc_key=2 Signed-off-by: Konstantin Andreev <andreev@swemel.ru> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2026-06-22smack: fix incorrect task context in smack_msg_queue_msgrcvKonstantin Andreev
The smack_msg_queue_msgrcv() function incorrectly checks the permissions of the 'current' task instead of the 'target' task. In the msgsnd() syscall path, if a receiver is already waiting, the pipelined_send() optimization is used to push the message directly to the receiver task: ipc/msg.c`pipelined_send(): ` smp_store_release(&msr->r_msg, msg) In this case, the 'sender' (current) task performs the check on behalf of the 'receiver' task (msr->r_tsk, passed as the 'target' parameter): ipc/msg.c`pipelined_send(): ` security_msg_queue_msgrcv(,, target := msr->r_tsk,,) However, smack_msg_queue_msgrcv() ignores the 'target' and checks 'current': smack_msg_queue_msgrcv(…) ` smk_curacc_msq(isp, MAY_READWRITE); // current task 'current' MAY satisfy smack_msg_queue_msgrcv r/w requirement, but 'target' (the receiver task) might NOT; as a result, an unauthorized receiver gets the message, violating MAC policy. Test: 1) create a sysv message queue with label “foo” 2) echo "bar foo r" >/smack/load2 3) msgrcv(,,,0,MSG_NOERROR) in "bar"-labeled task. The task is waiting for the messages ... 4) msgsnd() from a "foo"-labeled task: "bar"-labeled task gets the message. This patch fixes the issue by checking permission on the 'target' task instead of 'current'. (2008-02-04, Casey Schaufler) Fixes: e114e473771c ("Smack: Simplified Mandatory Access Control Kernel") Signed-off-by: Konstantin Andreev <andreev@swemel.ru> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2026-06-22security: smack: fix spelling mistakeQingshuang Fu
Fix misspelling: overriden → overridden Signed-off-by: Qingshuang Fu <fuqingshuang@kylinos.cn> Changes since v1: - Split original single patch into two standalone patches, separate AppArmor and Smack changes for different maintainer trees. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2026-06-19Merge tag 'landlock-7.2-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux Pull landlock updates from Mickaël Salaün: "This adds new Landlock access rights to control UDP bind and connect/send operations, and a new "quiet" feature to mute specific specific audit logs (and other future observability events). A few commits also fix Landlock issues" * tag 'landlock-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux: (24 commits) selftests/landlock: Add tests for invalid use of quiet flag selftests/landlock: Add tests for quiet flag with scope selftests/landlock: Add tests for quiet flag with net rules selftests/landlock: Add tests for quiet flag with fs rules selftests/landlock: Replace hard-coded 16 with a constant samples/landlock: Add quiet flag support to sandboxer landlock: Suppress logging when quiet flag is present landlock: Add API support and docs for the quiet flags landlock: Add a place for flags to layer rules landlock: Add documentation for UDP support samples/landlock: Add sandboxer UDP access control selftests/landlock: Add tests for UDP send selftests/landlock: Add tests for UDP bind/connect landlock: Add UDP send+connect access control landlock: Add UDP bind() access control landlock: Fix unmarked concurrent access to socket family selftests/landlock: Explicitly disable audit in teardowns selftests/landlock: Test SCOPE_SIGNAL on the SIGIO/fowner pgid path landlock: Fix LANDLOCK_SCOPE_SIGNAL bypass on the SIGIO path landlock: Demonstrate best-effort allowed_access filtering ...
2026-06-19Merge tag 'for-next-keys-7.2-rc1-2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd Pull keys update from Jarkko Sakkinen: "This contains only bug fixes" * tag 'for-next-keys-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd: keys: keyctl_pkey: replace BUG with return -EOPNOTSUPP keys: request_key: replace BUG with return -EINVAL keys: Pin request_key_auth payload in instantiate paths keys: prevent slab cache merging for key_jar keys: Replace strcpy(derived_buf, "AUTH_KEY") with strscpy(..., HASH_SIZE) KEYS: Use acquire when reading state in keyring search keys/trusted_keys: mark 'migratable' as __ro_after_init keys: use kmalloc_flex in user_preparse KEYS: trusted: Debugging as a feature KEYS: encrypted: Remove unnecessary selection of CRYPTO_RNG KEYS: fix overflow in keyctl_pkey_params_get_2()
2026-06-19Merge tag 'integrity-v7.2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity Pull IMA updates from Mimi Zohar: - Introduce IMA and EVM post-quantum ML-DSA signature support ML-DSA signature support for IMA and EVM is limited to sigv3 signatures, which calculates and verifies a hash of a compact structure containing the file data/metadata hash, hash type, and hash algorithm. IMA and EVM still calculate the file data/metadata hashes respectively. - Introduce support for removing IMA measurement list records stored in kernel memory The IMA measurement list can grow large depending on policy, but removing records breaks remote attestation, unless they are safely preserved and made available for attestation requests. Until environments are prepared to preserve the measurement records, a new CONFIG_IMA_STAGING Kconfig option is introduced to guard against deletion. Several approaches for removing measurement list records were evaluated but rejected due to filesystem constraints, the introduction of a new critical data record, and locking concerns. Two methods are being upstreamed: staged deletion with confirmation, and staged deletion of N records without confirmation. Both methods minimize the period during which new measurements are blocked from being appended to the measurement list by staging the measurement list. A comparison of the two methods is included in the documentation. - Some code cleanup, and a couple of bug fixes * tag 'integrity-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: doc: security: Add documentation of exporting and deleting IMA measurements ima: Support staging and deleting N measurements records ima: Add support for flushing the hash table when staging measurements ima: Add support for staging measurements with prompt ima: Introduce ima_dump_measurement() ima: Use snprintf() in create_securityfs_measurement_lists ima: Mediate open/release method of the measurements list ima: Introduce _ima_measurements_start() and _ima_measurements_next() ima: Introduce per binary measurements list type binary_runtime_size value ima: Introduce per binary measurements list type ima_num_records counter ima: Replace static htable queue with dynamically allocated array ima: Remove ima_h_table structure evm: terminate and bound the evm_xattrs read buffer integrity: Add support for sigv3 verification using ML-DSA keys integrity: Refactor asymmetric_verify for reusability integrity: Check that algo parameter is within valid range integrity: Check for NULL returned by asymmetric_key_public_key ima: return error early if file xattr cannot be changed ima: Fix sigv3 signature handling for EVM_IMA_XATTR_DIGSIG
2026-06-17Merge tag 'selinux-pr-20260615' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux Pull selinux updates from Paul Moore: "A number of SELinux patches, almost all of which are either minor fixes or hardening patches: - Additional verifications when loading new SELinux policy Multiple patches by Christian Göttsche to add additional validations to the code responsible for loading and parsing SELinux policy as it is loaded into the kernel. - Avoid nontransitive comparisons comparisons in our sorting code Done to prevent unexpected sorting results due to overflow. Qualys documented a similar issue with glibc https://www.qualys.com/2024/01/30/qsort.txt - Consistently use u16 for SELinux security classes - Move from page allocations to kmalloc() based allocations Unfortunately one of these patches had to be reverted, but you should see a fixed version during the next merge window. - Move from kmalloc_objs() to kzalloc_objs() in the policy load code - Reorder sel_kill_sb() slightly to match other pseudo filesystems - Simplify things with QSTR() instead of QSTR_INIT() - Minor comment typo fixes" * tag 'selinux-pr-20260615' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: revert use of __getname() in selinux_genfs_get_sid() selinux: comment spelling fix in ibpkey.c selinux: comment typo fix in selinuxfs.c selinux: hooks: use __getname() to allocate path buffer selinux: use k[mz]alloc() to allocate temporary buffers selinux: check for simple types selinux: more strict bounds check selinux: beef up isvalid checks selinux: reorder policydb_index() selinux: check type attr map overflows selinux: check length fields in policies selinux: more strict policy parsing selinux: use u16 for security classes selinux: avoid nontransitive comparison selinux: switch two allocations to use kzalloc_objs() selinux: fix sel_kill_sb() selinux: use QSTR() instead of QSTR_INIT() in init_sel_fs
2026-06-17Merge tag 'lsm-pr-20260615' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm Pull lsm update from Paul Moore: "A single LSM update the security_inode_listsecurity() hook to be able to leverage the xattr_list_one() helper function. We wanted to do this for a while, but we needed to fixup the callers in the NFS code first. With the NFS code changes shipping in Linux v7.0 and no one complaining, it seemed a good time to complete the shift" * tag 'lsm-pr-20260615' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm: security,fs,nfs,net: update security_inode_listsecurity() interface
2026-06-17Merge tag 'net-next-7.2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next Pull networking updates from Jakub Kicinski: "Core & protocols: - Work on removing rtnl_lock protection throughout the stack continues. In this chapter: - don't use rtnl_lock for IPv6 multicast routing configuration - don't take rtnl_lock in ethtool for modern drivers - prepare Qdisc dump callbacks for rtnl_lock removal - Support dumping just ifindex + name of all interfaces, under RCU. It's a common operation for Netlink CLI tools (when translating names to ifindexes) and previously required full rtnl_lock. - Support dumping qdiscs and page pools for a specific netdev. Even tho user space wants a dump of all netdevs, most of the time, the OOO programming model results in repeating the dump for each netdev. Which, in absence of a cache, leads to a O(n^2) behavior. - Flush nexthops once on multi-nexthop removal (e.g. when device goes down), another O(n^2) -> O(n) improvement. - Rehash locally generated traffic to a different nexthop on retransmit timeout. - Honor oif when choosing nexthop for locally generated IPv6 traffic. - Convert TCP Auth Option to crypto library, and drop non-RFC algos. - Increase subflow limits in MPTCP to 64 and endpoint limit to 256. - Support MPTCP signaling of IPv6 address + port (ADD_ADDR). We need to selectively skip reporting of the standard TCP Timestamp option, because they won't fit into the header space together (12 + 30 > 40). - Support using bridge neighbor suppression, Duplicate Address Detection, Gratuitous ARP and unsolicited NA forwarding - in EVPN deployments, e.g. VXLAN fabrics (IPv4 and IPv6). - Improve link state reporting for upper netdevs (e.g. macvlan) over tunnel devices (again, mostly for EVPN deployments). - Support binding GENEVE tunnels to a local address. - Speed up UDP tunnel destruction (remove one synchronize_rcu()). - Support exponential field encoding in multicast (IGMPv3 and MLDv2). - Support attaching PSP crypto offload to containers (veth, netkit). - Add a new IPSec Netlink message XFRM_MSG_MIGRATE_STATE that allows migrating individual IPsec SAs independently of their policies. The existing XFRM_MSG_MIGRATE is tightly coupled to policy+SA migration, lacks SPI for unique SA identification, and cannot express reqid changes or migrate Transport mode selectors. The new interface identifies the SA via SPI and mark, supports reqid changes, address family changes, encap removal, and uses an atomic create+install flow under x->lock to prevent SN/IV reuse during AEAD SA migration. - Implement GRO/GSO support for PPPoE. - Convert sockopt callbacks in a number of protocols to iov_iter. Cross-tree stuff: - Remove support for Crypto TFM cloning (unblocked after the TCP Auth Option rework). This feature regressed performance for all crypto API users, since it changed crypto transformation objects into reference-counted objects. - Add FCrypt-PCBC implementation to rxrpc and remove it from the global crypto API as obsolete and insecure. Wireless: - Major rework of station bandwidth handling, fixing issues with lower capability than AP. - Cleanups for EMLSR spec issues (drafts differed). - More Neighbor Awareness Networking (Wi-Fi Aware) work (multicast, schedule improvements, multi-station etc.) - Some Ultra High Reliability (UHR) / IEEE 802.11bn (D1.4) work (e.g. non-primary channel access, UHR DBE support). - Fine Timing Measurement ranging (i.e. distance measurement) APIs. Netfilter: - Use per-rule hash initval in nf_conncount. This avoids unnecessary lock contention with short keys (e.g. conntrack zones) in different namespaces. - Various safety improvements, both in packet parsing and object lifetimes. Notably add refcounts to conntrack timeout policy. Deletions: - Remove TLS + sockmap integration. TLS wants to pin user pages to avoid a copy, and sockmap wants to write to the input stream. More work on this integration is clearly needed, and we can't find any users (original author admitted that they never deployed it). - Remove support for TLS offload with TCP Offload Engine (the far more common opportunistic offload is retained). The locking looks unfixable (driver sleeps under TCP spin locks) and people from the vendor that added this are AWOL. - Remove more ATM code, trying to leave behind only what PPPoATM needs, AAL5 and br2684 with permanent circuits. - Remove AppleTalk. Let it join hamradio in our out of tree protocol graveyard, I mean, repository. - Disable 32-bit x_tables compatibility (32bit binaries on 64bit kernel) interface in user namespaces. To be deleted completely, soon. - Remove 5/10 MHz support from cfg80211/mac80211. Drivers: - Software: - Support DEVMEM/DMABUF Tx over NETMEM_TX_NO_DMA devices (netkit) - bonding: add knob to strictly follow 802.3ad for link state - New drivers: - Alibaba Elastic Ethernet Adaptor (cloud vNIC). - NXP NETC switch within i.MX94. - DPLL: - Add operational state to pins (implement in zl3073x). - Add generic DPLL type, for daisy-chaining DPLLs (implement in ice). - Ethernet high-speed NICs: - Huawei (hinic3): - enhance tc flow offload support with queue selection, tunnels - nVidia/Mellanox: - avoid over-copying payload to the skb's linear part (up to 60% win for LRO on slow CPUs like ARM64 V2) - expose more per-queue stats over the standard API - support additional, unprivileged PFs in the DPU configuration - support Socket Direct (multi-PF) with switchdev offloads - add a pool / frag allocator for DMA mapped buffers for control objects, save memory on systems with 64kB page size - take advantage of the ability to dynamically change RSS table size, even when table is configured by the user - increase the max RSS table size for even traffic distribution - Ethernet NICs: - Marvell/Aquantia: - AQC113 PTP support - Realtek USB (r8152): - support 10Gbit Link Speeds and Energy-Efficient Ethernet (EEE) - support firmware loaded (for RTL8157/RTL8159) - support for the RTL8159 - Intel (ixgbe): - support Energy-Efficient Ethernet (EEE) on E610 devices - Ethernet switches: - Airoha: - support multiple netdevs on a single GDM block / port - Marvell (mv88e6xxx): - support SERDES of mv88e6321 - Microchip (ksz8/9): - rework the driver callbacks to remove one indirection layer - Motorcomm (yt921x): - support port rate policing - support TBF qdisc offload - support ACL/flower offload - nVidia/Mellanox: - expose per-PG rx_discards - Realtek: - rtl8365mb: bridge offloading and VLAN support - Ethernet PHYs: - Airoha: - support Airoha AN8801R Gigabit PHYs. - Micrel: - implement 3 low-loss cable tunables - Realtek: - support MDI swapping for RTL8226-CG - support MDIO for RTL931x - Qualcomm: - at803x: Rx and Tx clock management for IPQ5018 PHY - Motorcomm: - support YT8522 100M RMII PHY - set drive strength in YT8531s RGMII - TI: - dp83822: add optional external PHY clock - Bluetooth: - hci_sync: add support for HCI_LE_Set_Host_Feature [v2] - SMP: use AES-CMAC library API - Intel: - support Product level reset - support smart trigger dump - Mediatek: - add event filter to filter specific event - Realtek: - fix RTL8761B/BU broken LE extended scan - WiFi: - Broadcom (b43): - new support for a 11n device - MediaTek (mt76): - support mt7927 - mt792x: broken usb transport detection - mt7921: regulatory improvements - Qualcomm (ath9k): - GPIO interface improvements - Qualcomm (ath12k): - WDS support - replace dynamic memory allocation in WMI Rx path - thermal throttling/cooling device support - 6 GHz incumbent interference detection - channel 177 in 5 GHz - Realtek (rt89): - RTL8922AU support - USB 3 mode switch for performance - better monitor radiotap support - RTL8922DE preparations" * tag 'net-next-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next: (1778 commits) ipv4: fib_rule: Move fib4_rules_exit() to ->exit(). net: serialize netif_running() check in enqueue_to_backlog() net: skmsg: preserve sg.copy across SG transforms appletalk: move the protocol out of tree appletalk: stop storing per-interface state in struct net_device selftests/bpf: test that TLS crypto is rejected on a sockmap socket selftests/bpf: drop the unused kTLS program from test_sockmap selftests/bpf: remove sockmap + ktls tests tls: remove dead sockmap (psock) handling from the SW path tls: reject the combination of TLS and sockmap atm: remove orphaned uAPI for deleted drivers, protocols and SVCs atm: remove unused ATM PHY operations atm: remove the unused pre_send and send_bh device operations atm: remove the unused change_qos device operation atm: remove SVC socket support and the signaling daemon interface atm: remove the local ATM (NSAP) address registry atm: remove dead SONET PHY ioctls atm: remove the unused send_oam / push_oam callbacks atm: remove AAL3/4 transport support net: dsa: sja1105: fix lastused timestamp in flower stats ...
2026-06-15keys: keyctl_pkey: replace BUG with return -EOPNOTSUPPMohammed EL Kadiri
Replace two BUG() calls in keyctl_pkey_params_get_2() and keyctl_pkey_e_d_s() default cases with -EOPNOTSUPP, matching the error style already used in these functions. Signed-off-by: Mohammed EL Kadiri <med08elkadiri@gmail.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-15keys: request_key: replace BUG with return -EINVALMohammed EL Kadiri
Replace BUG() in construct_get_dest_keyring() default case with return -EINVAL to handle the unimplemented group keyring destination gracefully. Signed-off-by: Mohammed EL Kadiri <med08elkadiri@gmail.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Link: https://lore.kernel.org/r/20260613130408.13709-2-med08elkadiri@gmail.com Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-15keys: Pin request_key_auth payload in instantiate pathsShaomin Chen
A: request_key() B: KEYCTL_INSTANTIATE_IOV ================ ========================= create auth key store rka in auth key wait for helper get auth key load rka from auth key copy user payload sleep on #PF helper completed detach and free rka destroy auth key wake up use rka->target_key **USE-AFTER-FREE** Give request_key_auth payloads a refcount. Take a payload reference while authkey->sem stabilizes the payload and revocation state. Hold that reference across the instantiate and reject paths. Drop the auth key owning reference from revoke and destroy. [jarkko: Replaced the first two paragraphs of text with an actual concurrency scenario.] Cc: stable@vger.kernel.org # v5.10+ Fixes: b5f545c880a2 ("[PATCH] keys: Permit running process to instantiate keys") Reported-by: Shaomin Chen <eeesssooo020@gmail.com> Closes: https://lore.kernel.org/r/20260519144403.436694-1-eeesssooo020@gmail.com Signed-off-by: Shaomin Chen <eeesssooo020@gmail.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-15keys: prevent slab cache merging for key_jarMohammed EL Kadiri
Add SLAB_NO_MERGE to key_jar to prevent the allocator from merging it with other similarly-sized caches. This hardens struct key isolation by ensuring dedicated slab pages. Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org> Signed-off-by: Mohammed EL Kadiri <med08elkadiri@gmail.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Link: https://lore.kernel.org/r/20260610065052.9120-1-med08elkadiri@gmail.com Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-15keys: Replace strcpy(derived_buf, "AUTH_KEY") with strscpy(..., HASH_SIZE)David Laight
derived_buf is guaranteed to be HASH_SIZE - and it is more than enough. The strscpy() degenerates into an memcpy() (as did the strcpy()). Do the same for the associated "ENC_KEY" copy. Removes a possibly unbounded strcpy(). Signed-off-by: David Laight <david.laight.linux@gmail.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Link: https://lore.kernel.org/r/20260606202633.5018-9-david.laight.linux@gmail.com Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-15KEYS: Use acquire when reading state in keyring searchGui-Dong Han
The negative-key race fix added release/acquire ordering for key use. Publish payload before state; read state before payload. keyring_search_iterator() still uses READ_ONCE() before match callbacks. An asymmetric match callback calls asymmetric_key_ids(), which reads key->payload.data[asym_key_ids]. Use key_read_state() there to complete that ordering. Fixes: 363b02dab09b ("KEYS: Fix race between updating and finding a negative key") Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Link: https://lore.kernel.org/r/20260529033406.20673-1-hanguidong02@gmail.com Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-15keys/trusted_keys: mark 'migratable' as __ro_after_initLen Bao
The 'migratable' variable is initialized only during the init phase in the 'init_trusted' function and never changed. So, mark it as __ro_after_init. Signed-off-by: Len Bao <len.bao@gmx.us> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Link: https://lore.kernel.org/r/20260516152249.41851-1-len.bao@gmx.us Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-15keys: use kmalloc_flex in user_preparseThorsten Blum
Use kmalloc_flex() when allocating a new struct user_key_payload in user_preparse() to replace the open-coded size arithmetic and to keep the size type-safe. Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Link: https://lore.kernel.org/r/20260504093058.49720-3-thorsten.blum@linux.dev Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-15KEYS: trusted: Debugging as a featureJarkko Sakkinen
TPM_DEBUG, and other similar flags, are a non-standard way to specify a feature in Linux kernel. Introduce CONFIG_TRUSTED_KEYS_DEBUG for trusted keys, and use it to replace these ad-hoc feature flags. Given that trusted keys debug dumps can contain sensitive data, harden the feature as follows: 1. In the Kconfig description postulate that pr_debug() statements must be used. 2. Use pr_debug() statements in TPM 1.x driver to print the protocol dump. 3. Require trusted.debug=1 on the kernel command line (default: 0) to activate dumps at runtime, even when CONFIG_TRUSTED_KEYS_DEBUG=y. Traces, when actually needed, can be easily enabled by providing trusted.dyndbg='+p' and trusted.debug=1 in the kernel command-line. Reported-by: Nayna Jain <nayna@linux.ibm.com> Closes: https://lore.kernel.org/all/7f8b8478-5cd8-4d97-bfd0-341fd5cf10f9@linux.ibm.com/ Reviewed-by: Nayna Jain <nayna@linux.ibm.com> Tested-by: Srish Srinivasan <ssrish@linux.ibm.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-15KEYS: encrypted: Remove unnecessary selection of CRYPTO_RNGEric Biggers
encrypted-keys uses the regular Linux RNG (get_random_bytes()), not the duplicative crypto_rng one. So it does not need to select CRYPTO_RNG. Signed-off-by: Eric Biggers <ebiggers@kernel.org> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-15KEYS: fix overflow in keyctl_pkey_params_get_2()Jarkko Sakkinen
The length for the internal output buffer is calculated incorrectly, which can result overflow when a too small buffer is provided. Fix the bug by allocating internal output with the size of the maximum length of the cryptographic primitive instead of caller provided size. Link: https://lore.kernel.org/keyrings/20260531024914.3712130-1-jarkko@kernel.org/ Cc: stable@vger.kernel.org # v4.20+ Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]") Reported-by: Alessandro Groppo <ale.grpp@gmail.com> Tested-by: Alessandro Groppo <ale.grpp@gmail.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-14apparmor: fix label can not be immediately before a declarationJohn Johansen
Fix error reported by kernel test robot security/apparmor/policy.c:1381:2: error: a label can only be part of a statement and a declaration is not a statement All errors (new ones prefixed by >>): security/apparmor/policy.c: In function 'aa_replace_profiles': >> security/apparmor/policy.c:1381:2: error: a label can only be part of a statement and a declaration is not a statement ssize_t udata_sz = udata->size; ^~~~~ Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202606150525.npax8WiH-lkp@intel.com/ Fixes: 7b42f95813dc9 ("apparmor: fix potential UAF in aa_replace_profiles") Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-06-15Merge tag 'kbuild-7.2-1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/kbuild/linux Pull Kbuild / Kconfig updates from Nathan Chancellor: "Kbuild: - Remove broken module linking exclusion for BTF - Add documentation around how offset header files work - Include unstripped vDSO libraries in pacman packages - Bump minimum version of LLVM for building the kernel to 17.0.1 and clean up unnecessary workarounds - Use a context manager in run-clang-tools - Add dist macro value if present to release tag for RPM packages - Detect and report truncated buf_printf() output in modpost - Add __llvm_covfun and __llvm_covmap to section whitelist in modpost - Support Clang's distributed ThinLTO mode - Remove architecture specific configurations for AutoFDO and Propeller to ease individual architecture maintenance Kconfig: - Add kconfig-sym-check target to look for dangling Kconfig symbol references and invalid tristate literal values - Harden against potential NULL pointer dereference - Fix typo in Kconfig test comment" * tag 'kbuild-7.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/kbuild/linux: (31 commits) kconfig: tests: fix typo in comment kconfig: Remove the architecture specific config for Propeller kconfig: Remove the architecture specific config for AutoFDO modpost: Add __llvm_covfun and __llvm_covmap to section_white_list kconfig: add kconfig-sym-check static checker kbuild: Remove unnecessary 'T' modifier in cmd_ar_builtin_fixup kbuild: distributed build support for Clang ThinLTO kbuild: move vmlinux.a build rule to scripts/Makefile.vmlinux_a scripts: modpost: detect and report truncated buf_printf() output kbuild: rpm-pkg: append %{?dist} macro to Release tag run-clang-tools: run multiprocessing.Pool as context manager compiler-clang.h: Drop explicit version number from "all" diagnostic macro compiler-clang.h: Remove __cleanup -Wunused-variable workaround kbuild: Remove check for broken scoping with clang < 17 in CC_HAS_ASM_GOTO_OUTPUT x86/entry/vdso32: Remove conditional omission of '.cfi_offset eflags' x86/module: Revert "Deal with GOT based stack cookie load on Clang < 17" x86/build: Drop unnecessary '-ffreestanding' addition to KBUILD_CFLAGS scripts/Makefile.warn: Drop -Wformat handling for clang < 16 riscv: Drop tautological condition from TOOLCHAIN_NEEDS_OLD_ISA_SPEC riscv: Remove tautological condition from selection of ARCH_SUPPORTS_CFI ...