<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/security, branch v7.2-rc3</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>Merge tag 'selinux-pr-20260710' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux</title>
<updated>2026-07-11T01:59:29+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-11T01:59:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ccce5f6e7c86f103d76534e2d06d1c903dce551c'/>
<id>ccce5f6e7c86f103d76534e2d06d1c903dce551c</id>
<content type='text'>
Pull selinux fixes from Paul Moore:
 "Two small SELinux patches to fix a missing permission check for TCP
  Fast Open operations and fix a socket lookup issue with SCTP ASCONF
  operations"

* tag 'selinux-pr-20260710' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: avoid sk_socket dereference in selinux_sctp_bind_connect()
  selinux: check connect-related permissions on TCP Fast Open
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull selinux fixes from Paul Moore:
 "Two small SELinux patches to fix a missing permission check for TCP
  Fast Open operations and fix a socket lookup issue with SCTP ASCONF
  operations"

* tag 'selinux-pr-20260710' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: avoid sk_socket dereference in selinux_sctp_bind_connect()
  selinux: check connect-related permissions on TCP Fast Open
</pre>
</div>
</content>
</entry>
<entry>
<title>selinux: avoid sk_socket dereference in selinux_sctp_bind_connect()</title>
<updated>2026-07-01T22:22:22+00:00</updated>
<author>
<name>Tristan Madani</name>
<email>tristan@talencesecurity.com</email>
</author>
<published>2026-06-25T23:53:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=56acfeb10019e200ab6787d01f8d7cbe0f01526f'/>
<id>56acfeb10019e200ab6787d01f8d7cbe0f01526f</id>
<content type='text'>
selinux_sctp_bind_connect() dereferences sk-&gt;sk_socket to pass a
struct socket * to selinux_socket_bind() and
selinux_socket_connect_helper().  However, when the hook is invoked
from the ASCONF softirq path (sctp_process_asconf), there is no file
reference guaranteeing that sk-&gt;sk_socket is non-NULL.  The setsockopt
callers (bindx, connectx, set_primary, sendmsg connect) hold a file
reference and are not affected.

Both selinux_socket_bind() and selinux_socket_connect_helper()
immediately resolve sock-&gt;sk, never using the struct socket * for
anything else.  Refactor the inner logic into helpers that take a
struct sock * directly so that selinux_sctp_bind_connect() never needs
to touch sk-&gt;sk_socket at all.

Cc: stable@vger.kernel.org
Fixes: d452930fd3b9 ("selinux: Add SCTP support")
Suggested-by: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
Signed-off-by: Tristan Madani &lt;tristan@talencesecurity.com&gt;
Reviewed-by: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
Tested-by: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
selinux_sctp_bind_connect() dereferences sk-&gt;sk_socket to pass a
struct socket * to selinux_socket_bind() and
selinux_socket_connect_helper().  However, when the hook is invoked
from the ASCONF softirq path (sctp_process_asconf), there is no file
reference guaranteeing that sk-&gt;sk_socket is non-NULL.  The setsockopt
callers (bindx, connectx, set_primary, sendmsg connect) hold a file
reference and are not affected.

Both selinux_socket_bind() and selinux_socket_connect_helper()
immediately resolve sock-&gt;sk, never using the struct socket * for
anything else.  Refactor the inner logic into helpers that take a
struct sock * directly so that selinux_sctp_bind_connect() never needs
to touch sk-&gt;sk_socket at all.

Cc: stable@vger.kernel.org
Fixes: d452930fd3b9 ("selinux: Add SCTP support")
Suggested-by: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
Signed-off-by: Tristan Madani &lt;tristan@talencesecurity.com&gt;
Reviewed-by: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
Tested-by: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>selinux: check connect-related permissions on TCP Fast Open</title>
<updated>2026-07-01T21:09:53+00:00</updated>
<author>
<name>Stephen Smalley</name>
<email>stephen.smalley.work@gmail.com</email>
</author>
<published>2026-06-18T17:55:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=44c74d27d1b9aaa99fa8a83640c1223575262b80'/>
<id>44c74d27d1b9aaa99fa8a83640c1223575262b80</id>
<content type='text'>
Similar to Landlock, SELinux was not updated when TCP Fast Open
support was introduced to ensure connect-related permissions are
checked when using TCP Fast Open. Update its socket_sendmsg() hook to
call selinux_socket_connect() when MSG_FASTOPEN is passed.

Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/linux-security-module/20260616201615.275032-1-hexlabsecurity@proton.me/
Link: https://lore.kernel.org/linux-security-module/20260617180526.15627-2-matthieu@buffet.re/
Reported-by: Bryam Vargas &lt;hexlabsecurity@proton.me&gt;
Reported-by: Matthieu Buffet &lt;matthieu@buffet.re&gt;
Reported-by: Mikhail Ivanov &lt;ivanov.mikhail1@huawei-partners.com&gt;
Signed-off-by: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
Tested-by: Bryam Vargas &lt;hexlabsecurity@proton.me&gt;
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Similar to Landlock, SELinux was not updated when TCP Fast Open
support was introduced to ensure connect-related permissions are
checked when using TCP Fast Open. Update its socket_sendmsg() hook to
call selinux_socket_connect() when MSG_FASTOPEN is passed.

Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/linux-security-module/20260616201615.275032-1-hexlabsecurity@proton.me/
Link: https://lore.kernel.org/linux-security-module/20260617180526.15627-2-matthieu@buffet.re/
Reported-by: Bryam Vargas &lt;hexlabsecurity@proton.me&gt;
Reported-by: Matthieu Buffet &lt;matthieu@buffet.re&gt;
Reported-by: Mikhail Ivanov &lt;ivanov.mikhail1@huawei-partners.com&gt;
Signed-off-by: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
Tested-by: Bryam Vargas &lt;hexlabsecurity@proton.me&gt;
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>bpf: Reject BPF_MAP_TYPE_INODE_STORAGE creation if BPF LSM is uninitialized</title>
<updated>2026-06-30T14:31:56+00:00</updated>
<author>
<name>Matt Bobrowski</name>
<email>mattbobrowski@google.com</email>
</author>
<published>2026-06-28T20:11:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a6f0643e4f63cfaa0d5d4a69de4f132eac4b8fe4'/>
<id>a6f0643e4f63cfaa0d5d4a69de4f132eac4b8fe4</id>
<content type='text'>
When CONFIG_BPF_LSM=y is set, BPF inode storage maps
(BPF_MAP_TYPE_INODE_STORAGE) are compiled into the kernel. However,
if the BPF LSM is not explicitly enabled at boot time (e.g. omitted
from the "lsm=" boot parameter), lsm_prepare() is never executed for
the BPF LSM.

Consequently, the BPF inode security blob offset
(bpf_lsm_blob_sizes.lbs_inode) is never initialized and remains at
its default compiled size of 8 bytes instead of being updated to a
valid offset past the reserved struct rcu_head (typically 16 bytes
or more).

When a privileged user creates and updates a BPF_MAP_TYPE_INODE_STORAGE
map, bpf_inode() evaluates inode-&gt;i_security + 8. This erroneously
aliases the struct rcu_head.func callback pointer at the beginning
of the inode-&gt;i_security blob. During subsequent map element cleanup
or inode destruction, writing NULL to owner_storage clears the queued
RCU callback pointer. When rcu_do_batch() later executes the queued
callback, it attempts an instruction fetch at address 0x0, triggering
an immediate kernel panic.

Fix this by introducing a global bpf_lsm_initialized boolean flag
marked with __ro_after_init. Set this flag to true inside bpf_lsm_init()
when the LSM framework successfully registers the BPF LSM. Gate map
allocation in inode_storage_map_alloc() on this flag, returning
-EOPNOTSUPP if the BPF LSM is in turn uninitialized.

This fail-fast approach prevents userspace from allocating inode
storage maps when the supporting BPF LSM infrastructure is absent,
avoiding zombie map states.

Fixes: 8ea636848aca ("bpf: Implement bpf_local_storage for inodes")
Reported-by: oxsignal &lt;awo@kakao.com&gt;
Signed-off-by: Matt Bobrowski &lt;mattbobrowski@google.com&gt;
Signed-off-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Reviewed-by: Emil Tsalapatis &lt;emil@etsalapatis.com&gt;
Reviewed-by: Amery Hung &lt;ameryhung@gmail.com&gt;
Link: https://lore.kernel.org/bpf/20260628201103.3624525-1-mattbobrowski@google.com
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When CONFIG_BPF_LSM=y is set, BPF inode storage maps
(BPF_MAP_TYPE_INODE_STORAGE) are compiled into the kernel. However,
if the BPF LSM is not explicitly enabled at boot time (e.g. omitted
from the "lsm=" boot parameter), lsm_prepare() is never executed for
the BPF LSM.

Consequently, the BPF inode security blob offset
(bpf_lsm_blob_sizes.lbs_inode) is never initialized and remains at
its default compiled size of 8 bytes instead of being updated to a
valid offset past the reserved struct rcu_head (typically 16 bytes
or more).

When a privileged user creates and updates a BPF_MAP_TYPE_INODE_STORAGE
map, bpf_inode() evaluates inode-&gt;i_security + 8. This erroneously
aliases the struct rcu_head.func callback pointer at the beginning
of the inode-&gt;i_security blob. During subsequent map element cleanup
or inode destruction, writing NULL to owner_storage clears the queued
RCU callback pointer. When rcu_do_batch() later executes the queued
callback, it attempts an instruction fetch at address 0x0, triggering
an immediate kernel panic.

Fix this by introducing a global bpf_lsm_initialized boolean flag
marked with __ro_after_init. Set this flag to true inside bpf_lsm_init()
when the LSM framework successfully registers the BPF LSM. Gate map
allocation in inode_storage_map_alloc() on this flag, returning
-EOPNOTSUPP if the BPF LSM is in turn uninitialized.

This fail-fast approach prevents userspace from allocating inode
storage maps when the supporting BPF LSM infrastructure is absent,
avoiding zombie map states.

Fixes: 8ea636848aca ("bpf: Implement bpf_local_storage for inodes")
Reported-by: oxsignal &lt;awo@kakao.com&gt;
Signed-off-by: Matt Bobrowski &lt;mattbobrowski@google.com&gt;
Signed-off-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Reviewed-by: Emil Tsalapatis &lt;emil@etsalapatis.com&gt;
Reviewed-by: Amery Hung &lt;ameryhung@gmail.com&gt;
Link: https://lore.kernel.org/bpf/20260628201103.3624525-1-mattbobrowski@google.com
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'apparmor-pr-2026-06-22' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor</title>
<updated>2026-06-24T19:33:40+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-06-24T19:33:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6535a84bfdc4ab56fc901cbd9bd0d1a22315aa93'/>
<id>6535a84bfdc4ab56fc901cbd9bd0d1a22315aa93</id>
<content type='text'>
Pull apparmor updates from John Johansen:
 "Another round of bug fixing and some code cleanups, there are no new
  features. The biggest thing to note is Georgia is being added to help
  co-maintain apparmor.

  Cleanups:
   - replace get_zeroed_page() with kzalloc()
   - remove unnecessary goto and associated label
   - change fn_label_build() to return err on failure instead of NULL or
     err
   - free rawdata as soon as possible
   - use explicit instead of implicit flex array in rawdata_f_data
   - use __label_make_stale in __aa_proxy_redirect
   - return correct error by propagate -ENOMEM correctly in unpack_table
   - aa_label_alloc use aa_label_free on alloc failure
   - add a conditional version of get_newest_label

  Bug Fixes:
   - mediate the implicit connect of TCP fast open sendmsg
   - fix C23ism of label immediately before a declaration
   - fix kernel-doc warnings
   - fix spelling mistakes
   - fix use-after-free in rawdata dedup loop
   - Fix inverted comparison in cache_hold_inc()
   - fix uninitialized pointer passed to audit_log_untrustedstring()
   - don't audit files pointing to aa_null.dentry
   - put secmark label after secid lookup
   - fix aa_getprocattr free procattr leak on format failure
   - release exe file resources on path failure
   - fail policy unpack on accept2 allocation failure
   - Fix return in ns_mkdir_op
   - remove or add symlinks to rawdata according to export_binary
   - fix NULL pointer dereference in unpack_pdb
   - fix potential UAF in aa_replace_profiles
   - grab ns lock and refresh when looking up changehat child profiles
   - enable differential encoding
   - check label build before no_new_privs test
   - conditionally compile get_loaddata_common_ref()
   - fix unix socket mediation cache update, and leak"

* tag 'apparmor-pr-2026-06-22' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: (35 commits)
  apparmor: advertise the tcp fast open fix is applied
  apparmor: mediate the implicit connect of TCP fast open sendmsg
  apparmor: fix label can not be immediately before a declaration
  apparmor: fix kernel-doc warnings
  apparmor: replace get_zeroed_page() with kzalloc()
  security: apparmor: fix two spelling mistakes
  apparmor: fix use-after-free in rawdata dedup loop
  apparmor: Fix inverted comparison in cache_hold_inc()
  apparmor: fix uninitialised pointer passed to audit_log_untrustedstring()
  apparmor: don't audit files pointing to aa_null.dentry
  apparmor: put secmark label after secid lookup
  apparmor: aa_getprocattr free procattr leak on format failure
  apparmor: remove unnecessary goto and associated label
  apparmor: release exe file resources on path failure
  apparmor: fail policy unpack on accept2 allocation failure
  apparmor: Fix return in ns_mkdir_op
  apparmor: remove or add symlinks to rawdata according to export_binary
  apparmor: fix NULL pointer dereference in unpack_pdb
  apparmor: make fn_label_build() capable of handling not supported
  apparmor: change fn_label_build() call to not return NULL
  ...
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull apparmor updates from John Johansen:
 "Another round of bug fixing and some code cleanups, there are no new
  features. The biggest thing to note is Georgia is being added to help
  co-maintain apparmor.

  Cleanups:
   - replace get_zeroed_page() with kzalloc()
   - remove unnecessary goto and associated label
   - change fn_label_build() to return err on failure instead of NULL or
     err
   - free rawdata as soon as possible
   - use explicit instead of implicit flex array in rawdata_f_data
   - use __label_make_stale in __aa_proxy_redirect
   - return correct error by propagate -ENOMEM correctly in unpack_table
   - aa_label_alloc use aa_label_free on alloc failure
   - add a conditional version of get_newest_label

  Bug Fixes:
   - mediate the implicit connect of TCP fast open sendmsg
   - fix C23ism of label immediately before a declaration
   - fix kernel-doc warnings
   - fix spelling mistakes
   - fix use-after-free in rawdata dedup loop
   - Fix inverted comparison in cache_hold_inc()
   - fix uninitialized pointer passed to audit_log_untrustedstring()
   - don't audit files pointing to aa_null.dentry
   - put secmark label after secid lookup
   - fix aa_getprocattr free procattr leak on format failure
   - release exe file resources on path failure
   - fail policy unpack on accept2 allocation failure
   - Fix return in ns_mkdir_op
   - remove or add symlinks to rawdata according to export_binary
   - fix NULL pointer dereference in unpack_pdb
   - fix potential UAF in aa_replace_profiles
   - grab ns lock and refresh when looking up changehat child profiles
   - enable differential encoding
   - check label build before no_new_privs test
   - conditionally compile get_loaddata_common_ref()
   - fix unix socket mediation cache update, and leak"

* tag 'apparmor-pr-2026-06-22' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: (35 commits)
  apparmor: advertise the tcp fast open fix is applied
  apparmor: mediate the implicit connect of TCP fast open sendmsg
  apparmor: fix label can not be immediately before a declaration
  apparmor: fix kernel-doc warnings
  apparmor: replace get_zeroed_page() with kzalloc()
  security: apparmor: fix two spelling mistakes
  apparmor: fix use-after-free in rawdata dedup loop
  apparmor: Fix inverted comparison in cache_hold_inc()
  apparmor: fix uninitialised pointer passed to audit_log_untrustedstring()
  apparmor: don't audit files pointing to aa_null.dentry
  apparmor: put secmark label after secid lookup
  apparmor: aa_getprocattr free procattr leak on format failure
  apparmor: remove unnecessary goto and associated label
  apparmor: release exe file resources on path failure
  apparmor: fail policy unpack on accept2 allocation failure
  apparmor: Fix return in ns_mkdir_op
  apparmor: remove or add symlinks to rawdata according to export_binary
  apparmor: fix NULL pointer dereference in unpack_pdb
  apparmor: make fn_label_build() capable of handling not supported
  apparmor: change fn_label_build() call to not return NULL
  ...
</pre>
</div>
</content>
</entry>
<entry>
<title>apparmor: advertise the tcp fast open fix is applied</title>
<updated>2026-06-24T05:15:15+00:00</updated>
<author>
<name>John Johansen</name>
<email>john.johansen@canonical.com</email>
</author>
<published>2026-06-22T23:34:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2f6701a5ce6257ae7a64ddc6d89d0a08d2a034f8'/>
<id>2f6701a5ce6257ae7a64ddc6d89d0a08d2a034f8</id>
<content type='text'>
The fix for tcp-fast-open ensures that the connect permission is being
mediated correctly but it didn't add an artifact to the feature set to
advertise the fix is available. Add an artifact so that the test suite
can identify if the fix has not been properly applied or a new
unexpected regression has occurred.

Fixes: 4d587cd8a7215 ("apparmor: mediate the implicit connect of TCP fast open sendmsg")
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The fix for tcp-fast-open ensures that the connect permission is being
mediated correctly but it didn't add an artifact to the feature set to
advertise the fix is available. Add an artifact so that the test suite
can identify if the fix has not been properly applied or a new
unexpected regression has occurred.

Fixes: 4d587cd8a7215 ("apparmor: mediate the implicit connect of TCP fast open sendmsg")
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>apparmor: mediate the implicit connect of TCP fast open sendmsg</title>
<updated>2026-06-23T07:16:59+00:00</updated>
<author>
<name>Bryam Vargas</name>
<email>hexlabsecurity@proton.me</email>
</author>
<published>2026-06-22T20:57:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4d587cd8a72155089a627130bbd4716ec0856e21'/>
<id>4d587cd8a72155089a627130bbd4716ec0856e21</id>
<content type='text'>
sendmsg()/sendto() with MSG_FASTOPEN is a combination of connect(2) and
write(2): it opens the connection in the SYN. apparmor_socket_sendmsg()
only checks AA_MAY_SEND, so a profile that grants send but denies connect
lets a confined task open an outbound TCP/MPTCP connection that connect(2)
would have refused, bypassing connect mediation.

Mediate the implicit connect when MSG_FASTOPEN is set and a destination
is supplied. Add it to apparmor_socket_sendmsg() (not the shared
aa_sock_msg_perm() helper, which recvmsg also uses) and call aa_sk_perm()
directly, mirroring the selinux and tomoyo fixes. sk_is_tcp() does not
cover MPTCP fast open, so the SOCK_STREAM/IPPROTO_MPTCP arm is explicit.

Fixes: cf60af03ca4e ("net-tcp: Fast Open client - sendmsg(MSG_FASTOPEN)")
Cc: stable@vger.kernel.org
Signed-off-by: Bryam Vargas &lt;hexlabsecurity@proton.me&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
sendmsg()/sendto() with MSG_FASTOPEN is a combination of connect(2) and
write(2): it opens the connection in the SYN. apparmor_socket_sendmsg()
only checks AA_MAY_SEND, so a profile that grants send but denies connect
lets a confined task open an outbound TCP/MPTCP connection that connect(2)
would have refused, bypassing connect mediation.

Mediate the implicit connect when MSG_FASTOPEN is set and a destination
is supplied. Add it to apparmor_socket_sendmsg() (not the shared
aa_sock_msg_perm() helper, which recvmsg also uses) and call aa_sk_perm()
directly, mirroring the selinux and tomoyo fixes. sk_is_tcp() does not
cover MPTCP fast open, so the SOCK_STREAM/IPPROTO_MPTCP arm is explicit.

Fixes: cf60af03ca4e ("net-tcp: Fast Open client - sendmsg(MSG_FASTOPEN)")
Cc: stable@vger.kernel.org
Signed-off-by: Bryam Vargas &lt;hexlabsecurity@proton.me&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'landlock-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux</title>
<updated>2026-06-19T19:20:25+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-06-19T19:20:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5e2e14749c3d969e263a879db104db6e9f0eb484'/>
<id>5e2e14749c3d969e263a879db104db6e9f0eb484</id>
<content type='text'>
Pull landlock updates from Mickaël Salaün:
 "This adds new Landlock access rights to control UDP bind and
  connect/send operations, and a new "quiet" feature to mute specific
  specific audit logs (and other future observability events).

  A few commits also fix Landlock issues"

* tag 'landlock-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux: (24 commits)
  selftests/landlock: Add tests for invalid use of quiet flag
  selftests/landlock: Add tests for quiet flag with scope
  selftests/landlock: Add tests for quiet flag with net rules
  selftests/landlock: Add tests for quiet flag with fs rules
  selftests/landlock: Replace hard-coded 16 with a constant
  samples/landlock: Add quiet flag support to sandboxer
  landlock: Suppress logging when quiet flag is present
  landlock: Add API support and docs for the quiet flags
  landlock: Add a place for flags to layer rules
  landlock: Add documentation for UDP support
  samples/landlock: Add sandboxer UDP access control
  selftests/landlock: Add tests for UDP send
  selftests/landlock: Add tests for UDP bind/connect
  landlock: Add UDP send+connect access control
  landlock: Add UDP bind() access control
  landlock: Fix unmarked concurrent access to socket family
  selftests/landlock: Explicitly disable audit in teardowns
  selftests/landlock: Test SCOPE_SIGNAL on the SIGIO/fowner pgid path
  landlock: Fix LANDLOCK_SCOPE_SIGNAL bypass on the SIGIO path
  landlock: Demonstrate best-effort allowed_access filtering
  ...
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull landlock updates from Mickaël Salaün:
 "This adds new Landlock access rights to control UDP bind and
  connect/send operations, and a new "quiet" feature to mute specific
  specific audit logs (and other future observability events).

  A few commits also fix Landlock issues"

* tag 'landlock-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux: (24 commits)
  selftests/landlock: Add tests for invalid use of quiet flag
  selftests/landlock: Add tests for quiet flag with scope
  selftests/landlock: Add tests for quiet flag with net rules
  selftests/landlock: Add tests for quiet flag with fs rules
  selftests/landlock: Replace hard-coded 16 with a constant
  samples/landlock: Add quiet flag support to sandboxer
  landlock: Suppress logging when quiet flag is present
  landlock: Add API support and docs for the quiet flags
  landlock: Add a place for flags to layer rules
  landlock: Add documentation for UDP support
  samples/landlock: Add sandboxer UDP access control
  selftests/landlock: Add tests for UDP send
  selftests/landlock: Add tests for UDP bind/connect
  landlock: Add UDP send+connect access control
  landlock: Add UDP bind() access control
  landlock: Fix unmarked concurrent access to socket family
  selftests/landlock: Explicitly disable audit in teardowns
  selftests/landlock: Test SCOPE_SIGNAL on the SIGIO/fowner pgid path
  landlock: Fix LANDLOCK_SCOPE_SIGNAL bypass on the SIGIO path
  landlock: Demonstrate best-effort allowed_access filtering
  ...
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'for-next-keys-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd</title>
<updated>2026-06-19T19:14:08+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-06-19T19:14:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e2c0595b56e9526e67ddd228fc35fa9ff20724ec'/>
<id>e2c0595b56e9526e67ddd228fc35fa9ff20724ec</id>
<content type='text'>
Pull keys update from Jarkko Sakkinen:
 "This contains only bug fixes"

* tag 'for-next-keys-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd:
  keys: keyctl_pkey: replace BUG with return -EOPNOTSUPP
  keys: request_key: replace BUG with return -EINVAL
  keys: Pin request_key_auth payload in instantiate paths
  keys: prevent slab cache merging for key_jar
  keys: Replace strcpy(derived_buf, "AUTH_KEY") with strscpy(..., HASH_SIZE)
  KEYS: Use acquire when reading state in keyring search
  keys/trusted_keys: mark 'migratable' as __ro_after_init
  keys: use kmalloc_flex in user_preparse
  KEYS: trusted: Debugging as a feature
  KEYS: encrypted: Remove unnecessary selection of CRYPTO_RNG
  KEYS: fix overflow in keyctl_pkey_params_get_2()
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull keys update from Jarkko Sakkinen:
 "This contains only bug fixes"

* tag 'for-next-keys-7.2-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd:
  keys: keyctl_pkey: replace BUG with return -EOPNOTSUPP
  keys: request_key: replace BUG with return -EINVAL
  keys: Pin request_key_auth payload in instantiate paths
  keys: prevent slab cache merging for key_jar
  keys: Replace strcpy(derived_buf, "AUTH_KEY") with strscpy(..., HASH_SIZE)
  KEYS: Use acquire when reading state in keyring search
  keys/trusted_keys: mark 'migratable' as __ro_after_init
  keys: use kmalloc_flex in user_preparse
  KEYS: trusted: Debugging as a feature
  KEYS: encrypted: Remove unnecessary selection of CRYPTO_RNG
  KEYS: fix overflow in keyctl_pkey_params_get_2()
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'integrity-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity</title>
<updated>2026-06-19T18:32:05+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-06-19T18:32:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0798268aa4c26ece25020b3ddeeef9a5941209c0'/>
<id>0798268aa4c26ece25020b3ddeeef9a5941209c0</id>
<content type='text'>
Pull IMA updates from Mimi Zohar:

 - Introduce IMA and EVM post-quantum ML-DSA signature support

   ML-DSA signature support for IMA and EVM is limited to sigv3
   signatures, which calculates and verifies a hash of a compact
   structure containing the file data/metadata hash, hash type, and hash
   algorithm. IMA and EVM still calculate the file data/metadata hashes
   respectively.

 - Introduce support for removing IMA measurement list records stored in
   kernel memory

   The IMA measurement list can grow large depending on policy, but
   removing records breaks remote attestation, unless they are safely
   preserved and made available for attestation requests. Until
   environments are prepared to preserve the measurement records, a new
   CONFIG_IMA_STAGING Kconfig option is introduced to guard against
   deletion.

   Several approaches for removing measurement list records were
   evaluated but rejected due to filesystem constraints, the
   introduction of a new critical data record, and locking concerns. Two
   methods are being upstreamed: staged deletion with confirmation, and
   staged deletion of N records without confirmation. Both methods
   minimize the period during which new measurements are blocked from
   being appended to the measurement list by staging the measurement
   list.

   A comparison of the two methods is included in the documentation.

 - Some code cleanup, and a couple of bug fixes

* tag 'integrity-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  doc: security: Add documentation of exporting and deleting IMA measurements
  ima: Support staging and deleting N measurements records
  ima: Add support for flushing the hash table when staging measurements
  ima: Add support for staging measurements with prompt
  ima: Introduce ima_dump_measurement()
  ima: Use snprintf() in create_securityfs_measurement_lists
  ima: Mediate open/release method of the measurements list
  ima: Introduce _ima_measurements_start() and _ima_measurements_next()
  ima: Introduce per binary measurements list type binary_runtime_size value
  ima: Introduce per binary measurements list type ima_num_records counter
  ima: Replace static htable queue with dynamically allocated array
  ima: Remove ima_h_table structure
  evm: terminate and bound the evm_xattrs read buffer
  integrity: Add support for sigv3 verification using ML-DSA keys
  integrity: Refactor asymmetric_verify for reusability
  integrity: Check that algo parameter is within valid range
  integrity: Check for NULL returned by asymmetric_key_public_key
  ima: return error early if file xattr cannot be changed
  ima: Fix sigv3 signature handling for EVM_IMA_XATTR_DIGSIG
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull IMA updates from Mimi Zohar:

 - Introduce IMA and EVM post-quantum ML-DSA signature support

   ML-DSA signature support for IMA and EVM is limited to sigv3
   signatures, which calculates and verifies a hash of a compact
   structure containing the file data/metadata hash, hash type, and hash
   algorithm. IMA and EVM still calculate the file data/metadata hashes
   respectively.

 - Introduce support for removing IMA measurement list records stored in
   kernel memory

   The IMA measurement list can grow large depending on policy, but
   removing records breaks remote attestation, unless they are safely
   preserved and made available for attestation requests. Until
   environments are prepared to preserve the measurement records, a new
   CONFIG_IMA_STAGING Kconfig option is introduced to guard against
   deletion.

   Several approaches for removing measurement list records were
   evaluated but rejected due to filesystem constraints, the
   introduction of a new critical data record, and locking concerns. Two
   methods are being upstreamed: staged deletion with confirmation, and
   staged deletion of N records without confirmation. Both methods
   minimize the period during which new measurements are blocked from
   being appended to the measurement list by staging the measurement
   list.

   A comparison of the two methods is included in the documentation.

 - Some code cleanup, and a couple of bug fixes

* tag 'integrity-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  doc: security: Add documentation of exporting and deleting IMA measurements
  ima: Support staging and deleting N measurements records
  ima: Add support for flushing the hash table when staging measurements
  ima: Add support for staging measurements with prompt
  ima: Introduce ima_dump_measurement()
  ima: Use snprintf() in create_securityfs_measurement_lists
  ima: Mediate open/release method of the measurements list
  ima: Introduce _ima_measurements_start() and _ima_measurements_next()
  ima: Introduce per binary measurements list type binary_runtime_size value
  ima: Introduce per binary measurements list type ima_num_records counter
  ima: Replace static htable queue with dynamically allocated array
  ima: Remove ima_h_table structure
  evm: terminate and bound the evm_xattrs read buffer
  integrity: Add support for sigv3 verification using ML-DSA keys
  integrity: Refactor asymmetric_verify for reusability
  integrity: Check that algo parameter is within valid range
  integrity: Check for NULL returned by asymmetric_key_public_key
  ima: return error early if file xattr cannot be changed
  ima: Fix sigv3 signature handling for EVM_IMA_XATTR_DIGSIG
</pre>
</div>
</content>
</entry>
</feed>
