<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/security/security.c, branch v6.12.95</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>lsm: add backing_file LSM hooks</title>
<updated>2026-07-04T11:43:31+00:00</updated>
<author>
<name>Paul Moore</name>
<email>paul@paul-moore.com</email>
</author>
<published>2026-06-29T07:03:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5b6aa9a843205da92d860e5011a7b29062a76b8f'/>
<id>5b6aa9a843205da92d860e5011a7b29062a76b8f</id>
<content type='text'>
[ Upstream commit 6af36aeb147a06dea47c49859cd6ca5659aeb987 ]

Stacked filesystems such as overlayfs do not currently provide the
necessary mechanisms for LSMs to properly enforce access controls on the
mmap() and mprotect() operations.  In order to resolve this gap, a LSM
security blob is being added to the backing_file struct and the following
new LSM hooks are being created:

 security_backing_file_alloc()
 security_backing_file_free()
 security_mmap_backing_file()

The first two hooks are to manage the lifecycle of the LSM security blob
in the backing_file struct, while the third provides a new mmap() access
control point for the underlying backing file.  It is also expected that
LSMs will likely want to update their security_file_mprotect() callback
to address issues with their mprotect() controls, but that does not
require a change to the security_file_mprotect() LSM hook.

There are a three other small changes to support these new LSM hooks:
* Pass the user file associated with a backing file down to
alloc_empty_backing_file() so it can be included in the
security_backing_file_alloc() hook.
* Add getter and setter functions for the backing_file struct LSM blob
as the backing_file struct remains private to fs/file_table.c.
* Constify the file struct field in the LSM common_audit_data struct to
better support LSMs that need to pass a const file struct pointer into
the common LSM audit code.

Thanks to Arnd Bergmann for identifying the missing EXPORT_SYMBOL_GPL()
and supplying a fixup.

Cc: stable@vger.kernel.org
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-unionfs@vger.kernel.org
Cc: linux-erofs@lists.ozlabs.org
Reviewed-by: Amir Goldstein &lt;amir73il@gmail.com&gt;
Reviewed-by: Serge Hallyn &lt;serge@hallyn.com&gt;
Reviewed-by: Christian Brauner &lt;brauner@kernel.org&gt;
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
[ Mainline declares lsm_backing_file_cache in security/lsm.h.  Linux 6.12.y
does not have security/lsm_init.c or security/lsm.h; the cache variable
is defined locally as static struct kmem_cache *lsm_backing_file_cache in
security/security.c. ]
Signed-off-by: Cai Xinchen &lt;caixinchen1@huawei.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 6af36aeb147a06dea47c49859cd6ca5659aeb987 ]

Stacked filesystems such as overlayfs do not currently provide the
necessary mechanisms for LSMs to properly enforce access controls on the
mmap() and mprotect() operations.  In order to resolve this gap, a LSM
security blob is being added to the backing_file struct and the following
new LSM hooks are being created:

 security_backing_file_alloc()
 security_backing_file_free()
 security_mmap_backing_file()

The first two hooks are to manage the lifecycle of the LSM security blob
in the backing_file struct, while the third provides a new mmap() access
control point for the underlying backing file.  It is also expected that
LSMs will likely want to update their security_file_mprotect() callback
to address issues with their mprotect() controls, but that does not
require a change to the security_file_mprotect() LSM hook.

There are a three other small changes to support these new LSM hooks:
* Pass the user file associated with a backing file down to
alloc_empty_backing_file() so it can be included in the
security_backing_file_alloc() hook.
* Add getter and setter functions for the backing_file struct LSM blob
as the backing_file struct remains private to fs/file_table.c.
* Constify the file struct field in the LSM common_audit_data struct to
better support LSMs that need to pass a const file struct pointer into
the common LSM audit code.

Thanks to Arnd Bergmann for identifying the missing EXPORT_SYMBOL_GPL()
and supplying a fixup.

Cc: stable@vger.kernel.org
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-unionfs@vger.kernel.org
Cc: linux-erofs@lists.ozlabs.org
Reviewed-by: Amir Goldstein &lt;amir73il@gmail.com&gt;
Reviewed-by: Serge Hallyn &lt;serge@hallyn.com&gt;
Reviewed-by: Christian Brauner &lt;brauner@kernel.org&gt;
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
[ Mainline declares lsm_backing_file_cache in security/lsm.h.  Linux 6.12.y
does not have security/lsm_init.c or security/lsm.h; the cache variable
is defined locally as static struct kmem_cache *lsm_backing_file_cache in
security/security.c. ]
Signed-off-by: Cai Xinchen &lt;caixinchen1@huawei.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>xen/privcmd: add boot control for restricted usage in domU</title>
<updated>2026-03-25T10:08:57+00:00</updated>
<author>
<name>Juergen Gross</name>
<email>jgross@suse.com</email>
</author>
<published>2025-10-14T11:28:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1f00bad1b69b79ae9bfe066416a63c5835b54124'/>
<id>1f00bad1b69b79ae9bfe066416a63c5835b54124</id>
<content type='text'>
commit 1613462be621ad5103ec338a7b0ca0746ec4e5f1 upstream.

When running in an unprivileged domU under Xen, the privcmd driver
is restricted to allow only hypercalls against a target domain, for
which the current domU is acting as a device model.

Add a boot parameter "unrestricted" to allow all hypercalls (the
hypervisor will still refuse destructive hypercalls affecting other
guests).

Make this new parameter effective only in case the domU wasn't started
using secure boot, as otherwise hypercalls targeting the domU itself
might result in violating the secure boot functionality.

This is achieved by adding another lockdown reason, which can be
tested to not being set when applying the "unrestricted" option.

This is part of XSA-482

Signed-off-by: Juergen Gross &lt;jgross@suse.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 1613462be621ad5103ec338a7b0ca0746ec4e5f1 upstream.

When running in an unprivileged domU under Xen, the privcmd driver
is restricted to allow only hypercalls against a target domain, for
which the current domU is acting as a device model.

Add a boot parameter "unrestricted" to allow all hypercalls (the
hypervisor will still refuse destructive hypercalls affecting other
guests).

Make this new parameter effective only in case the domU wasn't started
using secure boot, as otherwise hypercalls targeting the domU itself
might result in violating the secure boot functionality.

This is achieved by adding another lockdown reason, which can be
tested to not being set when applying the "unrestricted" option.

This is part of XSA-482

Signed-off-by: Juergen Gross &lt;jgross@suse.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>bcachefs: do not use PF_MEMALLOC_NORECLAIM</title>
<updated>2024-10-09T19:47:18+00:00</updated>
<author>
<name>Michal Hocko</name>
<email>mhocko@suse.com</email>
</author>
<published>2024-09-26T17:11:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9897713fe1077c90b4a86c9af0a878d56c8888a2'/>
<id>9897713fe1077c90b4a86c9af0a878d56c8888a2</id>
<content type='text'>
Patch series "remove PF_MEMALLOC_NORECLAIM" v3.


This patch (of 2):

bch2_new_inode relies on PF_MEMALLOC_NORECLAIM to try to allocate a new
inode to achieve GFP_NOWAIT semantic while holding locks. If this
allocation fails it will drop locks and use GFP_NOFS allocation context.

We would like to drop PF_MEMALLOC_NORECLAIM because it is really
dangerous to use if the caller doesn't control the full call chain with
this flag set. E.g. if any of the function down the chain needed
GFP_NOFAIL request the PF_MEMALLOC_NORECLAIM would override this and
cause unexpected failure.

While this is not the case in this particular case using the scoped gfp
semantic is not really needed bacause we can easily pus the allocation
context down the chain without too much clutter.

[akpm@linux-foundation.org: fix kerneldoc warnings]
Link: https://lkml.kernel.org/r/20240926172940.167084-1-mhocko@kernel.org
Link: https://lkml.kernel.org/r/20240926172940.167084-2-mhocko@kernel.org
Signed-off-by: Michal Hocko &lt;mhocko@suse.com&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Reviewed-by: Dave Chinner &lt;dchinner@redhat.com&gt;
Reviewed-by: Jan Kara &lt;jack@suse.cz&gt; # For vfs changes
Cc: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Cc: Christian Brauner &lt;brauner@kernel.org&gt;
Cc: James Morris &lt;jmorris@namei.org&gt;
Cc: Kent Overstreet &lt;kent.overstreet@linux.dev&gt;
Cc: Paul Moore &lt;paul@paul-moore.com&gt;
Cc: Serge E. Hallyn &lt;serge@hallyn.com&gt;
Cc: Yafang Shao &lt;laoar.shao@gmail.com&gt;
Cc: Matthew Wilcox (Oracle) &lt;willy@infradead.org&gt;
Cc: Vlastimil Babka &lt;vbabka@suse.cz&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Patch series "remove PF_MEMALLOC_NORECLAIM" v3.


This patch (of 2):

bch2_new_inode relies on PF_MEMALLOC_NORECLAIM to try to allocate a new
inode to achieve GFP_NOWAIT semantic while holding locks. If this
allocation fails it will drop locks and use GFP_NOFS allocation context.

We would like to drop PF_MEMALLOC_NORECLAIM because it is really
dangerous to use if the caller doesn't control the full call chain with
this flag set. E.g. if any of the function down the chain needed
GFP_NOFAIL request the PF_MEMALLOC_NORECLAIM would override this and
cause unexpected failure.

While this is not the case in this particular case using the scoped gfp
semantic is not really needed bacause we can easily pus the allocation
context down the chain without too much clutter.

[akpm@linux-foundation.org: fix kerneldoc warnings]
Link: https://lkml.kernel.org/r/20240926172940.167084-1-mhocko@kernel.org
Link: https://lkml.kernel.org/r/20240926172940.167084-2-mhocko@kernel.org
Signed-off-by: Michal Hocko &lt;mhocko@suse.com&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Reviewed-by: Dave Chinner &lt;dchinner@redhat.com&gt;
Reviewed-by: Jan Kara &lt;jack@suse.cz&gt; # For vfs changes
Cc: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Cc: Christian Brauner &lt;brauner@kernel.org&gt;
Cc: James Morris &lt;jmorris@namei.org&gt;
Cc: Kent Overstreet &lt;kent.overstreet@linux.dev&gt;
Cc: Paul Moore &lt;paul@paul-moore.com&gt;
Cc: Serge E. Hallyn &lt;serge@hallyn.com&gt;
Cc: Yafang Shao &lt;laoar.shao@gmail.com&gt;
Cc: Matthew Wilcox (Oracle) &lt;willy@infradead.org&gt;
Cc: Vlastimil Babka &lt;vbabka@suse.cz&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'bpf-next-6.12-struct-fd' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next</title>
<updated>2024-09-24T21:54:26+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2024-09-24T21:54:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fa8380a06bd0523e51f826520aac1beb8c585521'/>
<id>fa8380a06bd0523e51f826520aac1beb8c585521</id>
<content type='text'>
Pull bpf 'struct fd' updates from Alexei Starovoitov:
 "This includes struct_fd BPF changes from Al and Andrii"

* tag 'bpf-next-6.12-struct-fd' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next:
  bpf: convert bpf_token_create() to CLASS(fd, ...)
  security,bpf: constify struct path in bpf_token_create() LSM hook
  bpf: more trivial fdget() conversions
  bpf: trivial conversions for fdget()
  bpf: switch maps to CLASS(fd, ...)
  bpf: factor out fetching bpf_map from FD and adding it to used_maps list
  bpf: switch fdget_raw() uses to CLASS(fd_raw, ...)
  bpf: convert __bpf_prog_get() to CLASS(fd, ...)
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull bpf 'struct fd' updates from Alexei Starovoitov:
 "This includes struct_fd BPF changes from Al and Andrii"

* tag 'bpf-next-6.12-struct-fd' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next:
  bpf: convert bpf_token_create() to CLASS(fd, ...)
  security,bpf: constify struct path in bpf_token_create() LSM hook
  bpf: more trivial fdget() conversions
  bpf: trivial conversions for fdget()
  bpf: switch maps to CLASS(fd, ...)
  bpf: factor out fetching bpf_map from FD and adding it to used_maps list
  bpf: switch fdget_raw() uses to CLASS(fd_raw, ...)
  bpf: convert __bpf_prog_get() to CLASS(fd, ...)
</pre>
</div>
</content>
</entry>
<entry>
<title>security,bpf: constify struct path in bpf_token_create() LSM hook</title>
<updated>2024-09-13T01:57:54+00:00</updated>
<author>
<name>Andrii Nakryiko</name>
<email>andrii@kernel.org</email>
</author>
<published>2024-08-06T22:38:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=433d7ce2d86d21274838c9e8c796f4232cd13cdb'/>
<id>433d7ce2d86d21274838c9e8c796f4232cd13cdb</id>
<content type='text'>
There is no reason why struct path pointer shouldn't be const-qualified
when being passed into bpf_token_create() LSM hook. Add that const.

Acked-by: Paul Moore &lt;paul@paul-moore.com&gt; (LSM/SELinux)
Suggested-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Andrii Nakryiko &lt;andrii@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
There is no reason why struct path pointer shouldn't be const-qualified
when being passed into bpf_token_create() LSM hook. Add that const.

Acked-by: Paul Moore &lt;paul@paul-moore.com&gt; (LSM/SELinux)
Suggested-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Andrii Nakryiko &lt;andrii@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>security: Update file_set_fowner documentation</title>
<updated>2024-09-09T16:30:51+00:00</updated>
<author>
<name>Mickaël Salaün</name>
<email>mic@digikod.net</email>
</author>
<published>2024-08-21T09:56:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=19c9d55d72a9040cf9dc8de62633e6217381106b'/>
<id>19c9d55d72a9040cf9dc8de62633e6217381106b</id>
<content type='text'>
Highlight that the file_set_fowner hook is now called with a lock held.

Cc: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Cc: Casey Schaufler &lt;casey@schaufler-ca.com&gt;
Cc: Christian Brauner &lt;brauner@kernel.org&gt;
Cc: James Morris &lt;jmorris@namei.org&gt;
Cc: Jann Horn &lt;jannh@google.com&gt;
Cc: Ondrej Mosnacek &lt;omosnace@redhat.com&gt;
Cc: Paul Moore &lt;paul@paul-moore.com&gt;
Cc: Serge E. Hallyn &lt;serge@hallyn.com&gt;
Cc: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Highlight that the file_set_fowner hook is now called with a lock held.

Cc: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Cc: Casey Schaufler &lt;casey@schaufler-ca.com&gt;
Cc: Christian Brauner &lt;brauner@kernel.org&gt;
Cc: James Morris &lt;jmorris@namei.org&gt;
Cc: Jann Horn &lt;jannh@google.com&gt;
Cc: Ondrej Mosnacek &lt;omosnace@redhat.com&gt;
Cc: Paul Moore &lt;paul@paul-moore.com&gt;
Cc: Serge E. Hallyn &lt;serge@hallyn.com&gt;
Cc: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>lsm: remove LSM_COUNT and LSM_CONFIG_COUNT</title>
<updated>2024-08-26T23:12:18+00:00</updated>
<author>
<name>Tetsuo Handa</name>
<email>penguin-kernel@I-love.SAKURA.ne.jp</email>
</author>
<published>2024-08-25T14:05:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d6bd12e80bf94b055def6ff708e76f836b4b17ad'/>
<id>d6bd12e80bf94b055def6ff708e76f836b4b17ad</id>
<content type='text'>
Because these are equals to MAX_LSM_COUNT. Also, we can avoid dynamic
memory allocation for ordered_lsms because MAX_LSM_COUNT is a constant.

Signed-off-by: Tetsuo Handa &lt;penguin-kernel@I-love.SAKURA.ne.jp&gt;
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Because these are equals to MAX_LSM_COUNT. Also, we can avoid dynamic
memory allocation for ordered_lsms because MAX_LSM_COUNT is a constant.

Signed-off-by: Tetsuo Handa &lt;penguin-kernel@I-love.SAKURA.ne.jp&gt;
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>lsm: replace indirect LSM hook calls with static calls</title>
<updated>2024-08-22T16:24:10+00:00</updated>
<author>
<name>KP Singh</name>
<email>kpsingh@kernel.org</email>
</author>
<published>2024-08-16T15:43:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=417c5643cd67a55f424b203b492082035d0236c3'/>
<id>417c5643cd67a55f424b203b492082035d0236c3</id>
<content type='text'>
LSM hooks are currently invoked from a linked list as indirect calls
which are invoked using retpolines as a mitigation for speculative
attacks (Branch History / Target injection) and add extra overhead which
is especially bad in kernel hot paths:

security_file_ioctl:
   0xff...0320 &lt;+0&gt;:	endbr64
   0xff...0324 &lt;+4&gt;:	push   %rbp
   0xff...0325 &lt;+5&gt;:	push   %r15
   0xff...0327 &lt;+7&gt;:	push   %r14
   0xff...0329 &lt;+9&gt;:	push   %rbx
   0xff...032a &lt;+10&gt;:	mov    %rdx,%rbx
   0xff...032d &lt;+13&gt;:	mov    %esi,%ebp
   0xff...032f &lt;+15&gt;:	mov    %rdi,%r14
   0xff...0332 &lt;+18&gt;:	mov    $0xff...7030,%r15
   0xff...0339 &lt;+25&gt;:	mov    (%r15),%r15
   0xff...033c &lt;+28&gt;:	test   %r15,%r15
   0xff...033f &lt;+31&gt;:	je     0xff...0358 &lt;security_file_ioctl+56&gt;
   0xff...0341 &lt;+33&gt;:	mov    0x18(%r15),%r11
   0xff...0345 &lt;+37&gt;:	mov    %r14,%rdi
   0xff...0348 &lt;+40&gt;:	mov    %ebp,%esi
   0xff...034a &lt;+42&gt;:	mov    %rbx,%rdx

   0xff...034d &lt;+45&gt;:	call   0xff...2e0 &lt;__x86_indirect_thunk_array+352&gt;
   			       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

    Indirect calls that use retpolines leading to overhead, not just due
    to extra instruction but also branch misses.

   0xff...0352 &lt;+50&gt;:	test   %eax,%eax
   0xff...0354 &lt;+52&gt;:	je     0xff...0339 &lt;security_file_ioctl+25&gt;
   0xff...0356 &lt;+54&gt;:	jmp    0xff...035a &lt;security_file_ioctl+58&gt;
   0xff...0358 &lt;+56&gt;:	xor    %eax,%eax
   0xff...035a &lt;+58&gt;:	pop    %rbx
   0xff...035b &lt;+59&gt;:	pop    %r14
   0xff...035d &lt;+61&gt;:	pop    %r15
   0xff...035f &lt;+63&gt;:	pop    %rbp
   0xff...0360 &lt;+64&gt;:	jmp    0xff...47c4 &lt;__x86_return_thunk&gt;

The indirect calls are not really needed as one knows the addresses of
enabled LSM callbacks at boot time and only the order can possibly
change at boot time with the lsm= kernel command line parameter.

An array of static calls is defined per LSM hook and the static calls
are updated at boot time once the order has been determined.

With the hook now exposed as a static call, one can see that the
retpolines are no longer there and the LSM callbacks are invoked
directly:

security_file_ioctl:
   0xff...0ca0 &lt;+0&gt;:	endbr64
   0xff...0ca4 &lt;+4&gt;:	nopl   0x0(%rax,%rax,1)
   0xff...0ca9 &lt;+9&gt;:	push   %rbp
   0xff...0caa &lt;+10&gt;:	push   %r14
   0xff...0cac &lt;+12&gt;:	push   %rbx
   0xff...0cad &lt;+13&gt;:	mov    %rdx,%rbx
   0xff...0cb0 &lt;+16&gt;:	mov    %esi,%ebp
   0xff...0cb2 &lt;+18&gt;:	mov    %rdi,%r14
   0xff...0cb5 &lt;+21&gt;:	jmp    0xff...0cc7 &lt;security_file_ioctl+39&gt;
  			       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   Static key enabled for SELinux

   0xffffffff818f0cb7 &lt;+23&gt;:	jmp    0xff...0cde &lt;security_file_ioctl+62&gt;
   				^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

   Static key enabled for BPF LSM. This is something that is changed to
   default to false to avoid the existing side effect issues of BPF LSM
   [1] in a subsequent patch.

   0xff...0cb9 &lt;+25&gt;:	xor    %eax,%eax
   0xff...0cbb &lt;+27&gt;:	xchg   %ax,%ax
   0xff...0cbd &lt;+29&gt;:	pop    %rbx
   0xff...0cbe &lt;+30&gt;:	pop    %r14
   0xff...0cc0 &lt;+32&gt;:	pop    %rbp
   0xff...0cc1 &lt;+33&gt;:	cs jmp 0xff...0000 &lt;__x86_return_thunk&gt;
   0xff...0cc7 &lt;+39&gt;:	endbr64
   0xff...0ccb &lt;+43&gt;:	mov    %r14,%rdi
   0xff...0cce &lt;+46&gt;:	mov    %ebp,%esi
   0xff...0cd0 &lt;+48&gt;:	mov    %rbx,%rdx
   0xff...0cd3 &lt;+51&gt;:	call   0xff...3230 &lt;selinux_file_ioctl&gt;
   			       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   Direct call to SELinux.

   0xff...0cd8 &lt;+56&gt;:	test   %eax,%eax
   0xff...0cda &lt;+58&gt;:	jne    0xff...0cbd &lt;security_file_ioctl+29&gt;
   0xff...0cdc &lt;+60&gt;:	jmp    0xff...0cb7 &lt;security_file_ioctl+23&gt;
   0xff...0cde &lt;+62&gt;:	endbr64
   0xff...0ce2 &lt;+66&gt;:	mov    %r14,%rdi
   0xff...0ce5 &lt;+69&gt;:	mov    %ebp,%esi
   0xff...0ce7 &lt;+71&gt;:	mov    %rbx,%rdx
   0xff...0cea &lt;+74&gt;:	call   0xff...e220 &lt;bpf_lsm_file_ioctl&gt;
   			       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   Direct call to BPF LSM.

   0xff...0cef &lt;+79&gt;:	test   %eax,%eax
   0xff...0cf1 &lt;+81&gt;:	jne    0xff...0cbd &lt;security_file_ioctl+29&gt;
   0xff...0cf3 &lt;+83&gt;:	jmp    0xff...0cb9 &lt;security_file_ioctl+25&gt;
   0xff...0cf5 &lt;+85&gt;:	endbr64
   0xff...0cf9 &lt;+89&gt;:	mov    %r14,%rdi
   0xff...0cfc &lt;+92&gt;:	mov    %ebp,%esi
   0xff...0cfe &lt;+94&gt;:	mov    %rbx,%rdx
   0xff...0d01 &lt;+97&gt;:	pop    %rbx
   0xff...0d02 &lt;+98&gt;:	pop    %r14
   0xff...0d04 &lt;+100&gt;:	pop    %rbp
   0xff...0d05 &lt;+101&gt;:	ret
   0xff...0d06 &lt;+102&gt;:	int3
   0xff...0d07 &lt;+103&gt;:	int3
   0xff...0d08 &lt;+104&gt;:	int3
   0xff...0d09 &lt;+105&gt;:	int3

While this patch uses static_branch_unlikely indicating that an LSM hook
is likely to be not present. In most cases this is still a better choice
as even when an LSM with one hook is added, empty slots are created for
all LSM hooks (especially when many LSMs that do not initialize most
hooks are present on the system).

There are some hooks that don't use the call_int_hook or
call_void_hook. These hooks are updated to use a new macro called
lsm_for_each_hook where the lsm_callback is directly invoked as an
indirect call.

Below are results of the relevant Unixbench system benchmarks with BPF LSM
and SELinux enabled with default policies enabled with and without these
patches.

Benchmark                                          Delta(%): (+ is better)
==========================================================================
Execl Throughput                                             +1.9356
File Write 1024 bufsize 2000 maxblocks                       +6.5953
Pipe Throughput                                              +9.5499
Pipe-based Context Switching                                 +3.0209
Process Creation                                             +2.3246
Shell Scripts (1 concurrent)                                 +1.4975
System Call Overhead                                         +2.7815
System Benchmarks Index Score (Partial Only):                +3.4859

In the best case, some syscalls like eventfd_create benefitted to about
~10%.

Tested-by: Guenter Roeck &lt;linux@roeck-us.net&gt;
Reviewed-by: Casey Schaufler &lt;casey@schaufler-ca.com&gt;
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Acked-by: Song Liu &lt;song@kernel.org&gt;
Acked-by: Andrii Nakryiko &lt;andrii@kernel.org&gt;
Signed-off-by: KP Singh &lt;kpsingh@kernel.org&gt;
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
LSM hooks are currently invoked from a linked list as indirect calls
which are invoked using retpolines as a mitigation for speculative
attacks (Branch History / Target injection) and add extra overhead which
is especially bad in kernel hot paths:

security_file_ioctl:
   0xff...0320 &lt;+0&gt;:	endbr64
   0xff...0324 &lt;+4&gt;:	push   %rbp
   0xff...0325 &lt;+5&gt;:	push   %r15
   0xff...0327 &lt;+7&gt;:	push   %r14
   0xff...0329 &lt;+9&gt;:	push   %rbx
   0xff...032a &lt;+10&gt;:	mov    %rdx,%rbx
   0xff...032d &lt;+13&gt;:	mov    %esi,%ebp
   0xff...032f &lt;+15&gt;:	mov    %rdi,%r14
   0xff...0332 &lt;+18&gt;:	mov    $0xff...7030,%r15
   0xff...0339 &lt;+25&gt;:	mov    (%r15),%r15
   0xff...033c &lt;+28&gt;:	test   %r15,%r15
   0xff...033f &lt;+31&gt;:	je     0xff...0358 &lt;security_file_ioctl+56&gt;
   0xff...0341 &lt;+33&gt;:	mov    0x18(%r15),%r11
   0xff...0345 &lt;+37&gt;:	mov    %r14,%rdi
   0xff...0348 &lt;+40&gt;:	mov    %ebp,%esi
   0xff...034a &lt;+42&gt;:	mov    %rbx,%rdx

   0xff...034d &lt;+45&gt;:	call   0xff...2e0 &lt;__x86_indirect_thunk_array+352&gt;
   			       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

    Indirect calls that use retpolines leading to overhead, not just due
    to extra instruction but also branch misses.

   0xff...0352 &lt;+50&gt;:	test   %eax,%eax
   0xff...0354 &lt;+52&gt;:	je     0xff...0339 &lt;security_file_ioctl+25&gt;
   0xff...0356 &lt;+54&gt;:	jmp    0xff...035a &lt;security_file_ioctl+58&gt;
   0xff...0358 &lt;+56&gt;:	xor    %eax,%eax
   0xff...035a &lt;+58&gt;:	pop    %rbx
   0xff...035b &lt;+59&gt;:	pop    %r14
   0xff...035d &lt;+61&gt;:	pop    %r15
   0xff...035f &lt;+63&gt;:	pop    %rbp
   0xff...0360 &lt;+64&gt;:	jmp    0xff...47c4 &lt;__x86_return_thunk&gt;

The indirect calls are not really needed as one knows the addresses of
enabled LSM callbacks at boot time and only the order can possibly
change at boot time with the lsm= kernel command line parameter.

An array of static calls is defined per LSM hook and the static calls
are updated at boot time once the order has been determined.

With the hook now exposed as a static call, one can see that the
retpolines are no longer there and the LSM callbacks are invoked
directly:

security_file_ioctl:
   0xff...0ca0 &lt;+0&gt;:	endbr64
   0xff...0ca4 &lt;+4&gt;:	nopl   0x0(%rax,%rax,1)
   0xff...0ca9 &lt;+9&gt;:	push   %rbp
   0xff...0caa &lt;+10&gt;:	push   %r14
   0xff...0cac &lt;+12&gt;:	push   %rbx
   0xff...0cad &lt;+13&gt;:	mov    %rdx,%rbx
   0xff...0cb0 &lt;+16&gt;:	mov    %esi,%ebp
   0xff...0cb2 &lt;+18&gt;:	mov    %rdi,%r14
   0xff...0cb5 &lt;+21&gt;:	jmp    0xff...0cc7 &lt;security_file_ioctl+39&gt;
  			       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   Static key enabled for SELinux

   0xffffffff818f0cb7 &lt;+23&gt;:	jmp    0xff...0cde &lt;security_file_ioctl+62&gt;
   				^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

   Static key enabled for BPF LSM. This is something that is changed to
   default to false to avoid the existing side effect issues of BPF LSM
   [1] in a subsequent patch.

   0xff...0cb9 &lt;+25&gt;:	xor    %eax,%eax
   0xff...0cbb &lt;+27&gt;:	xchg   %ax,%ax
   0xff...0cbd &lt;+29&gt;:	pop    %rbx
   0xff...0cbe &lt;+30&gt;:	pop    %r14
   0xff...0cc0 &lt;+32&gt;:	pop    %rbp
   0xff...0cc1 &lt;+33&gt;:	cs jmp 0xff...0000 &lt;__x86_return_thunk&gt;
   0xff...0cc7 &lt;+39&gt;:	endbr64
   0xff...0ccb &lt;+43&gt;:	mov    %r14,%rdi
   0xff...0cce &lt;+46&gt;:	mov    %ebp,%esi
   0xff...0cd0 &lt;+48&gt;:	mov    %rbx,%rdx
   0xff...0cd3 &lt;+51&gt;:	call   0xff...3230 &lt;selinux_file_ioctl&gt;
   			       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   Direct call to SELinux.

   0xff...0cd8 &lt;+56&gt;:	test   %eax,%eax
   0xff...0cda &lt;+58&gt;:	jne    0xff...0cbd &lt;security_file_ioctl+29&gt;
   0xff...0cdc &lt;+60&gt;:	jmp    0xff...0cb7 &lt;security_file_ioctl+23&gt;
   0xff...0cde &lt;+62&gt;:	endbr64
   0xff...0ce2 &lt;+66&gt;:	mov    %r14,%rdi
   0xff...0ce5 &lt;+69&gt;:	mov    %ebp,%esi
   0xff...0ce7 &lt;+71&gt;:	mov    %rbx,%rdx
   0xff...0cea &lt;+74&gt;:	call   0xff...e220 &lt;bpf_lsm_file_ioctl&gt;
   			       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   Direct call to BPF LSM.

   0xff...0cef &lt;+79&gt;:	test   %eax,%eax
   0xff...0cf1 &lt;+81&gt;:	jne    0xff...0cbd &lt;security_file_ioctl+29&gt;
   0xff...0cf3 &lt;+83&gt;:	jmp    0xff...0cb9 &lt;security_file_ioctl+25&gt;
   0xff...0cf5 &lt;+85&gt;:	endbr64
   0xff...0cf9 &lt;+89&gt;:	mov    %r14,%rdi
   0xff...0cfc &lt;+92&gt;:	mov    %ebp,%esi
   0xff...0cfe &lt;+94&gt;:	mov    %rbx,%rdx
   0xff...0d01 &lt;+97&gt;:	pop    %rbx
   0xff...0d02 &lt;+98&gt;:	pop    %r14
   0xff...0d04 &lt;+100&gt;:	pop    %rbp
   0xff...0d05 &lt;+101&gt;:	ret
   0xff...0d06 &lt;+102&gt;:	int3
   0xff...0d07 &lt;+103&gt;:	int3
   0xff...0d08 &lt;+104&gt;:	int3
   0xff...0d09 &lt;+105&gt;:	int3

While this patch uses static_branch_unlikely indicating that an LSM hook
is likely to be not present. In most cases this is still a better choice
as even when an LSM with one hook is added, empty slots are created for
all LSM hooks (especially when many LSMs that do not initialize most
hooks are present on the system).

There are some hooks that don't use the call_int_hook or
call_void_hook. These hooks are updated to use a new macro called
lsm_for_each_hook where the lsm_callback is directly invoked as an
indirect call.

Below are results of the relevant Unixbench system benchmarks with BPF LSM
and SELinux enabled with default policies enabled with and without these
patches.

Benchmark                                          Delta(%): (+ is better)
==========================================================================
Execl Throughput                                             +1.9356
File Write 1024 bufsize 2000 maxblocks                       +6.5953
Pipe Throughput                                              +9.5499
Pipe-based Context Switching                                 +3.0209
Process Creation                                             +2.3246
Shell Scripts (1 concurrent)                                 +1.4975
System Call Overhead                                         +2.7815
System Benchmarks Index Score (Partial Only):                +3.4859

In the best case, some syscalls like eventfd_create benefitted to about
~10%.

Tested-by: Guenter Roeck &lt;linux@roeck-us.net&gt;
Reviewed-by: Casey Schaufler &lt;casey@schaufler-ca.com&gt;
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Acked-by: Song Liu &lt;song@kernel.org&gt;
Acked-by: Andrii Nakryiko &lt;andrii@kernel.org&gt;
Signed-off-by: KP Singh &lt;kpsingh@kernel.org&gt;
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>lsm: add security_inode_setintegrity() hook</title>
<updated>2024-08-20T18:02:58+00:00</updated>
<author>
<name>Fan Wu</name>
<email>wufan@linux.microsoft.com</email>
</author>
<published>2024-08-03T06:08:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fb55e177d5936fb80fb2586036d195c57e7f6892'/>
<id>fb55e177d5936fb80fb2586036d195c57e7f6892</id>
<content type='text'>
This patch introduces a new hook to save inode's integrity
data. For example, for fsverity enabled files, LSMs can use this hook to
save the existence of verified fsverity builtin signature into the inode's
security blob, and LSMs can make access decisions based on this data.

Signed-off-by: Fan Wu &lt;wufan@linux.microsoft.com&gt;
[PM: subject line tweak, removed changelog]
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This patch introduces a new hook to save inode's integrity
data. For example, for fsverity enabled files, LSMs can use this hook to
save the existence of verified fsverity builtin signature into the inode's
security blob, and LSMs can make access decisions based on this data.

Signed-off-by: Fan Wu &lt;wufan@linux.microsoft.com&gt;
[PM: subject line tweak, removed changelog]
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipe: add support for dm-verity as a trust provider</title>
<updated>2024-08-20T18:02:45+00:00</updated>
<author>
<name>Deven Bowers</name>
<email>deven.desai@linux.microsoft.com</email>
</author>
<published>2024-08-03T06:08:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e155858dd99523d4afe0f74e9c26e4f4499eb5af'/>
<id>e155858dd99523d4afe0f74e9c26e4f4499eb5af</id>
<content type='text'>
Allows author of IPE policy to indicate trust for a singular dm-verity
volume, identified by roothash, through "dmverity_roothash" and all
signed and validated dm-verity volumes, through "dmverity_signature".

Signed-off-by: Deven Bowers &lt;deven.desai@linux.microsoft.com&gt;
Signed-off-by: Fan Wu &lt;wufan@linux.microsoft.com&gt;
[PM: fixed some line length issues in the comments]
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Allows author of IPE policy to indicate trust for a singular dm-verity
volume, identified by roothash, through "dmverity_roothash" and all
signed and validated dm-verity volumes, through "dmverity_signature".

Signed-off-by: Deven Bowers &lt;deven.desai@linux.microsoft.com&gt;
Signed-off-by: Fan Wu &lt;wufan@linux.microsoft.com&gt;
[PM: fixed some line length issues in the comments]
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
