linux.git/security, branch v6.18 Linux kernel source tree Merge tag 'selinux-pr-20251121' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux 2025-11-22T17:24:36+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-11-22T17:24:36+00:00 5703357ede59ce8b0af11e02c374a3db73c55ee8 Pull selinux fixes from Paul Moore: "Three SELinux patches for v6.18 to fix issues around accessing the per-task decision cache that we introduced in v6.16 to help reduce SELinux overhead on path walks. The problem was that despite the cache being located in the SELinux "task_security_struct", the parent struct wasn't actually tied to the task, it was tied to a cred. Historically SELinux did locate the task_security_struct in the task_struct's security blob, but it was later relocated to the cred struct when the cred work happened, as it made the most sense at the time. Unfortunately we never did the task_security_struct to cred_security_struct rename work (avoid code churn maybe? who knows) because it didn't really matter at the time. However, it suddenly became a problem when we added a per-task cache to a per-cred object and didn't notice because of the old, no-longer-correct struct naming. Thanks to KCSAN for flagging this, as the silly humans running things forgot that the task_security_struct was a big lie. This contains three patches, only one of which actually fixes the problem described above and moves the SELinux decision cache from the per-cred struct to a newly (re)created per-task struct. The other two patches, which form the bulk of the diffstat, take care of the associated renaming tasks so we can hopefully avoid making the same stupid mistake in the future. For the record, I did contemplate sending just a fix for the cache, leaving the renaming patches for the upcoming merge window, but the type/variable naming ended up being pretty awful and would have made v6.18 an outlier stuck between the "old" names and the "new" names in v6.19. The renaming patches are also fairly mechanical/trivial and shouldn't pose much risk despite their size. TLDR; naming things may be hard, but if you mess it up bad things happen" * tag 'selinux-pr-20251121' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: rename the cred_security_struct variables to "crsec" selinux: move avdcache to per-task security struct selinux: rename task_security_struct to cred_security_struct 
Pull selinux fixes from Paul Moore:
 "Three SELinux patches for v6.18 to fix issues around accessing the
  per-task decision cache that we introduced in v6.16 to help reduce
  SELinux overhead on path walks. The problem was that despite the cache
  being located in the SELinux "task_security_struct", the parent struct
  wasn't actually tied to the task, it was tied to a cred.

  Historically SELinux did locate the task_security_struct in the
  task_struct's security blob, but it was later relocated to the cred
  struct when the cred work happened, as it made the most sense at the
  time.

  Unfortunately we never did the task_security_struct to
  cred_security_struct rename work (avoid code churn maybe? who knows)
  because it didn't really matter at the time. However, it suddenly
  became a problem when we added a per-task cache to a per-cred object
  and didn't notice because of the old, no-longer-correct struct naming.

  Thanks to KCSAN for flagging this, as the silly humans running things
  forgot that the task_security_struct was a big lie.

  This contains three patches, only one of which actually fixes the
  problem described above and moves the SELinux decision cache from the
  per-cred struct to a newly (re)created per-task struct.

  The other two patches, which form the bulk of the diffstat, take care
  of the associated renaming tasks so we can hopefully avoid making the
  same stupid mistake in the future.

  For the record, I did contemplate sending just a fix for the cache,
  leaving the renaming patches for the upcoming merge window, but the
  type/variable naming ended up being pretty awful and would have made
  v6.18 an outlier stuck between the "old" names and the "new" names in
  v6.19. The renaming patches are also fairly mechanical/trivial and
  shouldn't pose much risk despite their size.

  TLDR; naming things may be hard, but if you mess it up bad things
  happen"

* tag 'selinux-pr-20251121' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: rename the cred_security_struct variables to "crsec"
  selinux: move avdcache to per-task security struct
  selinux: rename task_security_struct to cred_security_struct
selinux: rename the cred_security_struct variables to "crsec" 2025-11-20T21:47:50+00:00 Paul Moore paul@paul-moore.com 2025-11-18T22:27:58+00:00 3ded250b97c3ae94a642bc2e710a95700e72dfb0 Along with the renaming from task_security_struct to cred_security_struct, rename the local variables to "crsec" from "tsec". This both fits with existing conventions and helps distinguish between task and cred related variables. No functional changes. Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 
Along with the renaming from task_security_struct to cred_security_struct,
rename the local variables to "crsec" from "tsec".  This both fits with
existing conventions and helps distinguish between task and cred related
variables.

No functional changes.

Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
selinux: move avdcache to per-task security struct 2025-11-20T21:43:51+00:00 Stephen Smalley stephen.smalley.work@gmail.com 2025-11-13T20:23:14+00:00 dde3a5d0f4dce1d1a6095e6b8eeb59b75d28fb3b The avdcache is meant to be per-task; move it to a new task_security_struct that is duplicated per-task. Cc: stable@vger.kernel.org Fixes: 5d7ddc59b3d89b724a5aa8f30d0db94ff8d2d93f ("selinux: reduce path walk overhead") Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> [PM: line length fixes] Signed-off-by: Paul Moore <paul@paul-moore.com> 
The avdcache is meant to be per-task; move it to a new
task_security_struct that is duplicated per-task.

Cc: stable@vger.kernel.org
Fixes: 5d7ddc59b3d89b724a5aa8f30d0db94ff8d2d93f ("selinux: reduce path walk overhead")
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
[PM: line length fixes]
Signed-off-by: Paul Moore <paul@paul-moore.com>
selinux: rename task_security_struct to cred_security_struct 2025-11-20T21:43:50+00:00 Stephen Smalley stephen.smalley.work@gmail.com 2025-11-13T20:23:13+00:00 75f72fe289a7f76204a728668edcf20e4a2a6097 Before Linux had cred structures, the SELinux task_security_struct was per-task and although the structure was switched to being per-cred long ago, the name was never updated. This change renames it to cred_security_struct to avoid confusion and pave the way for the introduction of an actual per-task security structure for SELinux. No functional change. Cc: stable@vger.kernel.org Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 
Before Linux had cred structures, the SELinux task_security_struct was
per-task and although the structure was switched to being per-cred
long ago, the name was never updated. This change renames it to
cred_security_struct to avoid confusion and pave the way for the
introduction of an actual per-task security structure for SELinux. No
functional change.

Cc: stable@vger.kernel.org
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
landlock: fix splats from iput() after it started calling might_sleep() 2025-11-12T09:47:42+00:00 Mateusz Guzik mjguzik@gmail.com 2025-11-05T21:20:25+00:00 56325e8c68c0724d626f665773a5005dcf44e329 At this point it is guaranteed this is not the last reference. However, a recent addition of might_sleep() at top of iput() started generating false-positives as it was executing for all values. Remedy the problem by using the newly introduced iput_not_last(). Reported-by: syzbot+12479ae15958fc3f54ec@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68d32659.a70a0220.4f78.0012.GAE@google.com/ Fixes: 2ef435a872ab ("fs: add might_sleep() annotation to iput() and more") Signed-off-by: Mateusz Guzik <mjguzik@gmail.com> Link: https://patch.msgid.link/20251105212025.807549-2-mjguzik@gmail.com Reviewed-by: Mickaël Salaün <mic@digikod.net> Signed-off-by: Christian Brauner <brauner@kernel.org> 
At this point it is guaranteed this is not the last reference.

However, a recent addition of might_sleep() at top of iput() started
generating false-positives as it was executing for all values.

Remedy the problem by using the newly introduced iput_not_last().

Reported-by: syzbot+12479ae15958fc3f54ec@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68d32659.a70a0220.4f78.0012.GAE@google.com/
Fixes: 2ef435a872ab ("fs: add might_sleep() annotation to iput() and more")
Signed-off-by: Mateusz Guzik <mjguzik@gmail.com>
Link: https://patch.msgid.link/20251105212025.807549-2-mjguzik@gmail.com
Reviewed-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Merge tag 'integrity-v6.18' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity 2025-10-05T17:48:33+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-10-05T17:48:33+00:00 678074f1a8e03598977bdeea10a4ce51c4f4a0c4 Pull integrity updates from Mimi Zohar: "Just a couple of changes: crypto code cleanup and a IMA xattr bug fix" * tag 'integrity-v6.18' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr lib/digsig: Use SHA-1 library instead of crypto_shash integrity: Select CRYPTO from INTEGRITY_ASYMMETRIC_KEYS 
Pull integrity updates from Mimi Zohar:
 "Just a couple of changes: crypto code cleanup and a IMA xattr bug fix"

* tag 'integrity-v6.18' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr
  lib/digsig: Use SHA-1 library instead of crypto_shash
  integrity: Select CRYPTO from INTEGRITY_ASYMMETRIC_KEYS
Merge tag 'keys-next-6.18' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd 2025-10-04T22:23:29+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-10-04T22:23:29+00:00 b4e5bb555594826bb98aaf8bcd9f957f0428cb07 Pull keys updates from Jarkko Sakkinen: "A few minor updates/fixes for keys" * tag 'keys-next-6.18' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd: security: keys: use menuconfig for KEYS symbol KEYS: encrypted: Use SHA-256 library instead of crypto_shash KEYS: trusted_tpm1: Move private functionality out of public header KEYS: trusted_tpm1: Use SHA-1 library instead of crypto_shash KEYS: trusted_tpm1: Compare HMAC values in constant time 
Pull keys updates from Jarkko Sakkinen:
 "A few minor updates/fixes for keys"

* tag 'keys-next-6.18' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd:
  security: keys: use menuconfig for KEYS symbol
  KEYS: encrypted: Use SHA-256 library instead of crypto_shash
  KEYS: trusted_tpm1: Move private functionality out of public header
  KEYS: trusted_tpm1: Use SHA-1 library instead of crypto_shash
  KEYS: trusted_tpm1: Compare HMAC values in constant time
security: keys: use menuconfig for KEYS symbol 2025-10-04T14:25:35+00:00 Randy Dunlap rdunlap@infradead.org 2025-09-27T18:14:20+00:00 8be70a8fc667c33e69257a72e8092f07c828241e Give the KEYS kconfig symbol and its associated symbols a separate menu space under Security options by using "menuconfig" instead of "config". This also makes it easier to find the security and LSM options. Signed-off-by: Randy Dunlap <rdunlap@infradead.org> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> 
Give the KEYS kconfig symbol and its associated symbols a separate menu
space under Security options by using "menuconfig" instead of "config".

This also makes it easier to find the security and LSM options.

Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
KEYS: encrypted: Use SHA-256 library instead of crypto_shash 2025-10-04T14:25:35+00:00 Eric Biggers ebiggers@kernel.org 2025-09-15T18:14:43+00:00 9b8d24a49fe83787208479d51f320cead25e856c Instead of the "sha256" crypto_shash, just use sha256(). Similarly, instead of the "hmac(sha256)" crypto_shash, just use hmac_sha256_usingrawkey(). This is simpler and faster. Signed-off-by: Eric Biggers <ebiggers@kernel.org> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> 
Instead of the "sha256" crypto_shash, just use sha256().  Similarly,
instead of the "hmac(sha256)" crypto_shash, just use
hmac_sha256_usingrawkey().  This is simpler and faster.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Merge tag 'pull-f_path' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2025-10-03T23:32:36+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-10-03T23:32:36+00:00 50647a1176b7abd1b4ae55b491eb2fbbeef89db9 Pull file->f_path constification from Al Viro: "Only one thing was modifying ->f_path of an opened file - acct(2). Massaging that away and constifying a bunch of struct path * arguments in functions that might be given &file->f_path ends up with the situation where we can turn ->f_path into an anon union of const struct path f_path and struct path __f_path, the latter modified only in a few places in fs/{file_table,open,namei}.c, all for struct file instances that are yet to be opened" * tag 'pull-f_path' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (23 commits) Have cc(1) catch attempts to modify ->f_path kernel/acct.c: saner struct file treatment configfs:get_target() - release path as soon as we grab configfs_item reference apparmor/af_unix: constify struct path * arguments ovl_is_real_file: constify realpath argument ovl_sync_file(): constify path argument ovl_lower_dir(): constify path argument ovl_get_verity_digest(): constify path argument ovl_validate_verity(): constify {meta,data}path arguments ovl_ensure_verity_loaded(): constify datapath argument ksmbd_vfs_set_init_posix_acl(): constify path argument ksmbd_vfs_inherit_posix_acl(): constify path argument ksmbd_vfs_kern_path_unlock(): constify path argument ksmbd_vfs_path_lookup_locked(): root_share_path can be const struct path * check_export(): constify path argument export_operations->open(): constify path argument rqst_exp_get_by_name(): constify path argument nfs: constify path argument of __vfs_getattr() bpf...d_path(): constify path argument done_path_create(): constify path argument ... 
Pull file->f_path constification from Al Viro:
 "Only one thing was modifying ->f_path of an opened file - acct(2).

  Massaging that away and constifying a bunch of struct path * arguments
  in functions that might be given &file->f_path ends up with the
  situation where we can turn ->f_path into an anon union of const
  struct path f_path and struct path __f_path, the latter modified only
  in a few places in fs/{file_table,open,namei}.c, all for struct file
  instances that are yet to be opened"

* tag 'pull-f_path' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (23 commits)
  Have cc(1) catch attempts to modify ->f_path
  kernel/acct.c: saner struct file treatment
  configfs:get_target() - release path as soon as we grab configfs_item reference
  apparmor/af_unix: constify struct path * arguments
  ovl_is_real_file: constify realpath argument
  ovl_sync_file(): constify path argument
  ovl_lower_dir(): constify path argument
  ovl_get_verity_digest(): constify path argument
  ovl_validate_verity(): constify {meta,data}path arguments
  ovl_ensure_verity_loaded(): constify datapath argument
  ksmbd_vfs_set_init_posix_acl(): constify path argument
  ksmbd_vfs_inherit_posix_acl(): constify path argument
  ksmbd_vfs_kern_path_unlock(): constify path argument
  ksmbd_vfs_path_lookup_locked(): root_share_path can be const struct path *
  check_export(): constify path argument
  export_operations->open(): constify path argument
  rqst_exp_get_by_name(): constify path argument
  nfs: constify path argument of __vfs_getattr()
  bpf...d_path(): constify path argument
  done_path_create(): constify path argument
  ...