Merge tag 'selinux-pr-20230829' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull selinux updates from Paul Moore:
 "Thirty three SELinux patches, which is a pretty big number for us, but
  there isn't really anything scary in here; in fact we actually manage
  to remove 10 lines of code with this :)

   - Promote the SELinux DEBUG_HASHES macro to CONFIG_SECURITY_SELINUX_DEBUG

     The DEBUG_HASHES macro was a buried SELinux specific preprocessor
     debug macro that was a problem waiting to happen. Promoting the
     debug macro to a proper Kconfig setting should help both improve
     the visibility of the feature as well enable improved test
     coverage. We've moved some additional debug functions under the
     CONFIG_SECURITY_SELINUX_DEBUG flag and we may see more work in the
     future.

   - Emit a pr_notice() message if virtual memory is executable by default

     As this impacts the SELinux access control policy enforcement, if
     the system's configuration is such that virtual memory is
     executable by default we print a single line notice to the console.

   - Drop avtab_search() in favor of avtab_search_node()

     Both functions are nearly identical so we removed avtab_search()
     and converted the callers to avtab_search_node().

   - Add some SELinux network auditing helpers

     The helpers not only reduce a small amount of code duplication, but
     they provide an opportunity to improve UDP flood performance
     slightly by delaying initialization of the audit data in some
     cases.

   - Convert GFP_ATOMIC allocators to GFP_KERNEL when reading SELinux policy

     There were two SELinux policy load helper functions that were
     allocating memory using GFP_ATOMIC, they have been converted to
     GFP_KERNEL.

   - Quiet a KMSAN warning in selinux_inet_conn_request()

     A one-line error path (re)set patch that resolves a KMSAN warning.
     It is important to note that this doesn't represent a real bug in
     the current code, but it quiets KMSAN and arguably hardens the code
     against future changes.

   - Cleanup the policy capability accessor functions

     This is a follow-up to the patch which reverted SELinux to using a
     global selinux_state pointer. This patch cleans up some artifacts
     of that change and turns each accessor into a one-line READ_ONCE()
     call into the policy capabilities array.

   - A number of patches from Christian Göttsche

     Christian submitted almost two-thirds of the patches in this pull
     request as he worked to harden the SELinux code against type
     differences, variable overflows, etc.

   - Support for separating early userspace from the kernel in policy,
     with a later revert

     We did have a patch that added a new userspace initial SID which
     would allow SELinux to distinguish between early user processes
     created before the initial policy load and the kernel itself.

     Unfortunately additional post-merge testing revealed a problematic
     interaction with an old SELinux userspace on an old version of
     Ubuntu so we've reverted the patch until we can resolve the
     compatibility issue.

   - Remove some outdated comments dealing with LSM hook registration

     When we removed the runtime disable functionality we forgot to
     remove some old comments discussing the importance of LSM hook
     registration ordering.

   - Minor administrative changes

     Stephen Smalley updated his email address and "debranded" SELinux
     from "NSA SELinux" to simply "SELinux". We've come a long way from
     the original NSA submission and I would consider SELinux a true
     community project at this point so removing the NSA branding just
     makes sense"

* tag 'selinux-pr-20230829' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: (33 commits)
  selinux: prevent KMSAN warning in selinux_inet_conn_request()
  selinux: use unsigned iterator in nlmsgtab code
  selinux: avoid implicit conversions in policydb code
  selinux: avoid implicit conversions in selinuxfs code
  selinux: make left shifts well defined
  selinux: update type for number of class permissions in services code
  selinux: avoid implicit conversions in avtab code
  selinux: revert SECINITSID_INIT support
  selinux: use GFP_KERNEL while reading binary policy
  selinux: update comment on selinux_hooks[]
  selinux: avoid implicit conversions in services code
  selinux: avoid implicit conversions in mls code
  selinux: use identical iterator type in hashtab_duplicate()
  selinux: move debug functions into debug configuration
  selinux: log about VM being executable by default
  selinux: fix a 0/NULL mistmatch in ad_net_init_from_iif()
  selinux: introduce SECURITY_SELINUX_DEBUG configuration
  selinux: introduce and use lsm_ad_net_init*() helpers
  selinux: update my email address
  selinux: add missing newlines in pr_err() statements
  ...

Author: torvalds

security/selinux/Kconfig

@@ -1,16 +1,16 @@
 # SPDX-License-Identifier: GPL-2.0-only
 config SECURITY_SELINUX
-	bool "NSA SELinux Support"
+	bool "SELinux Support"
 	depends on SECURITY_NETWORK && AUDIT && NET && INET
 	select NETWORK_SECMARK
 	default n
 	help
-	  This selects NSA Security-Enhanced Linux (SELinux).
+	  This selects Security-Enhanced Linux (SELinux).
 	  You will also need a policy configuration and a labeled filesystem.
 	  If you are unsure how to answer this question, answer N.
 
 config SECURITY_SELINUX_BOOTPARAM
-	bool "NSA SELinux boot parameter"
+	bool "SELinux boot parameter"
 	depends on SECURITY_SELINUX
 	default n
 	help
@@ -24,11 +24,11 @@ config SECURITY_SELINUX_BOOTPARAM
 	  If you are unsure how to answer this question, answer N.
 
 config SECURITY_SELINUX_DEVELOP
-	bool "NSA SELinux Development Support"
+	bool "SELinux Development Support"
 	depends on SECURITY_SELINUX
 	default y
 	help
-	  This enables the development support option of NSA SELinux,
+	  This enables the development support option of SELinux,
 	  which is useful for experimenting with SELinux and developing
 	  policies.  If unsure, say Y.  With this option enabled, the
 	  kernel will start in permissive mode (log everything, deny nothing)
@@ -38,7 +38,7 @@ config SECURITY_SELINUX_DEVELOP
 	  /sys/fs/selinux/enforce.
 
 config SECURITY_SELINUX_AVC_STATS
-	bool "NSA SELinux AVC Statistics"
+	bool "SELinux AVC Statistics"
 	depends on SECURITY_SELINUX
 	default y
 	help
@@ -47,7 +47,7 @@ config SECURITY_SELINUX_AVC_STATS
 	  tools such as avcstat.
 
 config SECURITY_SELINUX_SIDTAB_HASH_BITS
-	int "NSA SELinux sidtab hashtable size"
+	int "SELinux sidtab hashtable size"
 	depends on SECURITY_SELINUX
 	range 8 13
 	default 9
@@ -59,7 +59,7 @@ config SECURITY_SELINUX_SIDTAB_HASH_BITS
 	  will ensure that lookups times are short and stable.
 
 config SECURITY_SELINUX_SID2STR_CACHE_SIZE
-	int "NSA SELinux SID to context string translation cache size"
+	int "SELinux SID to context string translation cache size"
 	depends on SECURITY_SELINUX
 	default 256
 	help
@@ -68,3 +68,12 @@ config SECURITY_SELINUX_SID2STR_CACHE_SIZE
 	  conversion.  Setting this option to 0 disables the cache completely.
 
 	  If unsure, keep the default value.
+
+config SECURITY_SELINUX_DEBUG
+	bool "SELinux kernel debugging support"
+	depends on SECURITY_SELINUX
+	default n
+	help
+	  This enables debugging code designed to help SELinux kernel
+	  developers, unless you know what this does in the kernel code you
+	  should leave this disabled.

security/selinux/avc.c

@@ -2,7 +2,7 @@
 /*
  * Implementation of the kernel access vector cache (AVC).
  *
- * Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
+ * Authors:  Stephen Smalley, <stephen.smalley.work@gmail.com>
  *	     James Morris <jmorris@redhat.com>
  *
  * Update:   KaiGai, Kohei <kaigai@ak.jp.nec.com>
@@ -122,7 +122,7 @@ static struct kmem_cache *avc_xperms_data_cachep __ro_after_init;
 static struct kmem_cache *avc_xperms_decision_cachep __ro_after_init;
 static struct kmem_cache *avc_xperms_cachep __ro_after_init;
 
-static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass)
+static inline u32 avc_hash(u32 ssid, u32 tsid, u16 tclass)
 {
 	return (ssid ^ (tsid<<2) ^ (tclass<<4)) & (AVC_CACHE_SLOTS - 1);
 }
@@ -523,7 +523,7 @@ static void avc_node_populate(struct avc_node *node, u32 ssid, u32 tsid, u16 tcl
 static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass)
 {
 	struct avc_node *node, *ret = NULL;
-	int hvalue;
+	u32 hvalue;
 	struct hlist_head *head;
 
 	hvalue = avc_hash(ssid, tsid, tclass);
@@ -566,7 +566,7 @@ static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass)
 	return NULL;
 }
 
-static int avc_latest_notif_update(int seqno, int is_insert)
+static int avc_latest_notif_update(u32 seqno, int is_insert)
 {
 	int ret = 0;
 	static DEFINE_SPINLOCK(notif_lock);
@@ -609,7 +609,7 @@ static void avc_insert(u32 ssid, u32 tsid, u16 tclass,
 		       struct av_decision *avd, struct avc_xperms_node *xp_node)
 {
 	struct avc_node *pos, *node = NULL;
-	int hvalue;
+	u32 hvalue;
 	unsigned long flag;
 	spinlock_t *lock;
 	struct hlist_head *head;
@@ -654,9 +654,9 @@ static void avc_audit_pre_callback(struct audit_buffer *ab, void *a)
 {
 	struct common_audit_data *ad = a;
 	struct selinux_audit_data *sad = ad->selinux_audit_data;
-	u32 av = sad->audited;
+	u32 av = sad->audited, perm;
 	const char *const *perms;
-	int i, perm;
+	u32 i;
 
 	audit_log_format(ab, "avc:  %s ", sad->denied ? "denied" : "granted");
 
@@ -833,7 +833,8 @@ static int avc_update_node(u32 event, u32 perms, u8 driver, u8 xperm, u32 ssid,
 			   struct extended_perms_decision *xpd,
 			   u32 flags)
 {
-	int hvalue, rc = 0;
+	u32 hvalue;
+	int rc = 0;
 	unsigned long flag;
 	struct avc_node *pos, *node, *orig = NULL;
 	struct hlist_head *head;