<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/security, branch master</title>
<subtitle>Linux kernel mainline source</subtitle>
<id>http://mirrors.hust.edu.cn/git/linux.git/atom?h=master</id>
<link rel='self' href='http://mirrors.hust.edu.cn/git/linux.git/atom?h=master'/>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux.git/'/>
<updated>2026-07-16T20:22:17+00:00</updated>
<entry>
<title>Merge tag 'landlock-7.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux</title>
<updated>2026-07-16T20:22:17+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-16T20:22:17+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux.git/commit/?id=481ed5dd3ed7136f627b8ec372ba39f5b2e7d27f'/>
<id>urn:sha1:481ed5dd3ed7136f627b8ec372ba39f5b2e7d27f</id>
<content type='text'>
Pull landlock fix from Mickaël Salaün:
 "This fixes TCP Fast Open support, specific test environments, and doc
  warnings"

* tag 'landlock-7.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux:
  selftests/landlock: Skip scoped_signal subtest with MSG_OOB if not available
  selftests/landlock: Fix screwed up pointers in the scoped_signal_test
  landlock: Update formatting
  landlock: Fix kernel-doc for the nested quiet layer flag
  selftests/landlock: Add test for TCP fast open
  landlock: Fix TCP Fast Open connection bypass
</content>
</entry>
<entry>
<title>Merge tag 'selinux-pr-20260710' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux</title>
<updated>2026-07-11T01:59:29+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-11T01:59:29+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux.git/commit/?id=ccce5f6e7c86f103d76534e2d06d1c903dce551c'/>
<id>urn:sha1:ccce5f6e7c86f103d76534e2d06d1c903dce551c</id>
<content type='text'>
Pull selinux fixes from Paul Moore:
 "Two small SELinux patches to fix a missing permission check for TCP
  Fast Open operations and fix a socket lookup issue with SCTP ASCONF
  operations"

* tag 'selinux-pr-20260710' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: avoid sk_socket dereference in selinux_sctp_bind_connect()
  selinux: check connect-related permissions on TCP Fast Open
</content>
</entry>
<entry>
<title>landlock: Update formatting</title>
<updated>2026-07-10T10:59:10+00:00</updated>
<author>
<name>Mickaël Salaün</name>
<email>mic@digikod.net</email>
</author>
<published>2026-07-08T11:06:33+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux.git/commit/?id=97c0e344e03818dbf3116e77d3d7fe81f1fbe795'/>
<id>urn:sha1:97c0e344e03818dbf3116e77d3d7fe81f1fbe795</id>
<content type='text'>
Following commit 99df2a8eba34 ("clang-format: fix formatting of guard()
and scoped_guard() statements"), update scoped_guard() formatting.
Also, see the related fix [1].

Cc: Günther Noack &lt;gnoack@google.com&gt;
Cc: Miguel Ojeda &lt;ojeda@kernel.org&gt;
Link: https://lore.kernel.org/r/20260708105713.2073335-1-mic@digikod.net [1]
Link: https://patch.msgid.link/20260708110635.2083515-1-mic@digikod.net
Reviewed-by: Günther Noack &lt;gnoack@google.com&gt;
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</content>
</entry>
<entry>
<title>landlock: Fix kernel-doc for the nested quiet layer flag</title>
<updated>2026-07-10T10:59:09+00:00</updated>
<author>
<name>Mickaël Salaün</name>
<email>mic@digikod.net</email>
</author>
<published>2026-07-03T14:17:09+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux.git/commit/?id=592a37889f97d60debf6a442684ba4d13435c817'/>
<id>urn:sha1:592a37889f97d60debf6a442684ba4d13435c817</id>
<content type='text'>
kernel-doc emits "Excess struct member 'quiet' description in
'landlock_layer'" because "quiet" is a bitfield inside the named nested
struct "flags", but its inline comment used the bare member name
"@quiet:", which kernel-doc attributes to the enclosing landlock_layer.

Use the canonical dotted notation "@flags.quiet:" so kernel-doc resolves
the nested member, and include it in the generated documentation.

Cc: Justin Suess &lt;utilityemal77@gmail.com&gt;
Cc: Tingmao Wang &lt;m@maowtm.org&gt;
Fixes: a260c0055665 ("landlock: Add a place for flags to layer rules")
Link: https://patch.msgid.link/20260703141711.2016964-1-mic@digikod.net
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</content>
</entry>
<entry>
<title>landlock: Fix TCP Fast Open connection bypass</title>
<updated>2026-07-10T10:59:07+00:00</updated>
<author>
<name>Matthieu Buffet</name>
<email>matthieu@buffet.re</email>
</author>
<published>2026-07-01T21:46:27+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux.git/commit/?id=33cb713db0161b54f04fe830e062c9e102c29a04'/>
<id>urn:sha1:33cb713db0161b54f04fe830e062c9e102c29a04</id>
<content type='text'>
The documentation of the socket_connect() LSM hook states that it
controls connecting a socket to a remote address. It has not been the
case since the addition of TCP Fast Open (RFC 7413) support, which
allows opening a TCP connection (thus, setting a socket's destination
address) via the MSG_FASTOPEN flag passed to
sendto()/sendmsg()/sendmmsg(). The problem then got duplicated into
MPTCP.

Landlock did not take it into account when its TCP support was added,
leaving a bypass of TCP connect policy.

Ideally a call to the LSM hook would be added in the fastopen code path,
in order to fix this generically. But connect() hooks are designed to
run with the socket locked, unlike sendmsg() hooks.

Closes: https://github.com/landlock-lsm/linux/issues/41
Fixes: fff69fb03dde ("landlock: Support network rules with TCP bind and connect")
Signed-off-by: Matthieu Buffet &lt;matthieu@buffet.re&gt;
Link: https://patch.msgid.link/20260701214628.33319-1-matthieu@buffet.re
Cc: stable@vger.kernel.org
[mic: Wrap commit message]
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</content>
</entry>
<entry>
<title>selinux: avoid sk_socket dereference in selinux_sctp_bind_connect()</title>
<updated>2026-07-01T22:22:22+00:00</updated>
<author>
<name>Tristan Madani</name>
<email>tristan@talencesecurity.com</email>
</author>
<published>2026-06-25T23:53:36+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux.git/commit/?id=56acfeb10019e200ab6787d01f8d7cbe0f01526f'/>
<id>urn:sha1:56acfeb10019e200ab6787d01f8d7cbe0f01526f</id>
<content type='text'>
selinux_sctp_bind_connect() dereferences sk-&gt;sk_socket to pass a
struct socket * to selinux_socket_bind() and
selinux_socket_connect_helper().  However, when the hook is invoked
from the ASCONF softirq path (sctp_process_asconf), there is no file
reference guaranteeing that sk-&gt;sk_socket is non-NULL.  The setsockopt
callers (bindx, connectx, set_primary, sendmsg connect) hold a file
reference and are not affected.

Both selinux_socket_bind() and selinux_socket_connect_helper()
immediately resolve sock-&gt;sk, never using the struct socket * for
anything else.  Refactor the inner logic into helpers that take a
struct sock * directly so that selinux_sctp_bind_connect() never needs
to touch sk-&gt;sk_socket at all.

Cc: stable@vger.kernel.org
Fixes: d452930fd3b9 ("selinux: Add SCTP support")
Suggested-by: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
Signed-off-by: Tristan Madani &lt;tristan@talencesecurity.com&gt;
Reviewed-by: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
Tested-by: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
</content>
</entry>
<entry>
<title>selinux: check connect-related permissions on TCP Fast Open</title>
<updated>2026-07-01T21:09:53+00:00</updated>
<author>
<name>Stephen Smalley</name>
<email>stephen.smalley.work@gmail.com</email>
</author>
<published>2026-06-18T17:55:14+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux.git/commit/?id=44c74d27d1b9aaa99fa8a83640c1223575262b80'/>
<id>urn:sha1:44c74d27d1b9aaa99fa8a83640c1223575262b80</id>
<content type='text'>
Similar to Landlock, SELinux was not updated when TCP Fast Open
support was introduced to ensure connect-related permissions are
checked when using TCP Fast Open. Update its socket_sendmsg() hook to
call selinux_socket_connect() when MSG_FASTOPEN is passed.

Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/linux-security-module/20260616201615.275032-1-hexlabsecurity@proton.me/
Link: https://lore.kernel.org/linux-security-module/20260617180526.15627-2-matthieu@buffet.re/
Reported-by: Bryam Vargas &lt;hexlabsecurity@proton.me&gt;
Reported-by: Matthieu Buffet &lt;matthieu@buffet.re&gt;
Reported-by: Mikhail Ivanov &lt;ivanov.mikhail1@huawei-partners.com&gt;
Signed-off-by: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
Tested-by: Bryam Vargas &lt;hexlabsecurity@proton.me&gt;
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
</content>
</entry>
<entry>
<title>bpf: Reject BPF_MAP_TYPE_INODE_STORAGE creation if BPF LSM is uninitialized</title>
<updated>2026-06-30T14:31:56+00:00</updated>
<author>
<name>Matt Bobrowski</name>
<email>mattbobrowski@google.com</email>
</author>
<published>2026-06-28T20:11:03+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux.git/commit/?id=a6f0643e4f63cfaa0d5d4a69de4f132eac4b8fe4'/>
<id>urn:sha1:a6f0643e4f63cfaa0d5d4a69de4f132eac4b8fe4</id>
<content type='text'>
When CONFIG_BPF_LSM=y is set, BPF inode storage maps
(BPF_MAP_TYPE_INODE_STORAGE) are compiled into the kernel. However,
if the BPF LSM is not explicitly enabled at boot time (e.g. omitted
from the "lsm=" boot parameter), lsm_prepare() is never executed for
the BPF LSM.

Consequently, the BPF inode security blob offset
(bpf_lsm_blob_sizes.lbs_inode) is never initialized and remains at
its default compiled size of 8 bytes instead of being updated to a
valid offset past the reserved struct rcu_head (typically 16 bytes
or more).

When a privileged user creates and updates a BPF_MAP_TYPE_INODE_STORAGE
map, bpf_inode() evaluates inode-&gt;i_security + 8. This erroneously
aliases the struct rcu_head.func callback pointer at the beginning
of the inode-&gt;i_security blob. During subsequent map element cleanup
or inode destruction, writing NULL to owner_storage clears the queued
RCU callback pointer. When rcu_do_batch() later executes the queued
callback, it attempts an instruction fetch at address 0x0, triggering
an immediate kernel panic.

Fix this by introducing a global bpf_lsm_initialized boolean flag
marked with __ro_after_init. Set this flag to true inside bpf_lsm_init()
when the LSM framework successfully registers the BPF LSM. Gate map
allocation in inode_storage_map_alloc() on this flag, returning
-EOPNOTSUPP if the BPF LSM is in turn uninitialized.

This fail-fast approach prevents userspace from allocating inode
storage maps when the supporting BPF LSM infrastructure is absent,
avoiding zombie map states.

Fixes: 8ea636848aca ("bpf: Implement bpf_local_storage for inodes")
Reported-by: oxsignal &lt;awo@kakao.com&gt;
Signed-off-by: Matt Bobrowski &lt;mattbobrowski@google.com&gt;
Signed-off-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Reviewed-by: Emil Tsalapatis &lt;emil@etsalapatis.com&gt;
Reviewed-by: Amery Hung &lt;ameryhung@gmail.com&gt;
Link: https://lore.kernel.org/bpf/20260628201103.3624525-1-mattbobrowski@google.com
</content>
</entry>
<entry>
<title>Merge tag 'apparmor-pr-2026-06-22' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor</title>
<updated>2026-06-24T19:33:40+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-06-24T19:33:40+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux.git/commit/?id=6535a84bfdc4ab56fc901cbd9bd0d1a22315aa93'/>
<id>urn:sha1:6535a84bfdc4ab56fc901cbd9bd0d1a22315aa93</id>
<content type='text'>
Pull apparmor updates from John Johansen:
 "Another round of bug fixing and some code cleanups, there are no new
  features. The biggest thing to note is Georgia is being added to help
  co-maintain apparmor.

  Cleanups:
   - replace get_zeroed_page() with kzalloc()
   - remove unnecessary goto and associated label
   - change fn_label_build() to return err on failure instead of NULL or
     err
   - free rawdata as soon as possible
   - use explicit instead of implicit flex array in rawdata_f_data
   - use __label_make_stale in __aa_proxy_redirect
   - return correct error by propagate -ENOMEM correctly in unpack_table
   - aa_label_alloc use aa_label_free on alloc failure
   - add a conditional version of get_newest_label

  Bug Fixes:
   - mediate the implicit connect of TCP fast open sendmsg
   - fix C23ism of label immediately before a declaration
   - fix kernel-doc warnings
   - fix spelling mistakes
   - fix use-after-free in rawdata dedup loop
   - Fix inverted comparison in cache_hold_inc()
   - fix uninitialized pointer passed to audit_log_untrustedstring()
   - don't audit files pointing to aa_null.dentry
   - put secmark label after secid lookup
   - fix aa_getprocattr free procattr leak on format failure
   - release exe file resources on path failure
   - fail policy unpack on accept2 allocation failure
   - Fix return in ns_mkdir_op
   - remove or add symlinks to rawdata according to export_binary
   - fix NULL pointer dereference in unpack_pdb
   - fix potential UAF in aa_replace_profiles
   - grab ns lock and refresh when looking up changehat child profiles
   - enable differential encoding
   - check label build before no_new_privs test
   - conditionally compile get_loaddata_common_ref()
   - fix unix socket mediation cache update, and leak"

* tag 'apparmor-pr-2026-06-22' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: (35 commits)
  apparmor: advertise the tcp fast open fix is applied
  apparmor: mediate the implicit connect of TCP fast open sendmsg
  apparmor: fix label can not be immediately before a declaration
  apparmor: fix kernel-doc warnings
  apparmor: replace get_zeroed_page() with kzalloc()
  security: apparmor: fix two spelling mistakes
  apparmor: fix use-after-free in rawdata dedup loop
  apparmor: Fix inverted comparison in cache_hold_inc()
  apparmor: fix uninitialised pointer passed to audit_log_untrustedstring()
  apparmor: don't audit files pointing to aa_null.dentry
  apparmor: put secmark label after secid lookup
  apparmor: aa_getprocattr free procattr leak on format failure
  apparmor: remove unnecessary goto and associated label
  apparmor: release exe file resources on path failure
  apparmor: fail policy unpack on accept2 allocation failure
  apparmor: Fix return in ns_mkdir_op
  apparmor: remove or add symlinks to rawdata according to export_binary
  apparmor: fix NULL pointer dereference in unpack_pdb
  apparmor: make fn_label_build() capable of handling not supported
  apparmor: change fn_label_build() call to not return NULL
  ...
</content>
</entry>
<entry>
<title>apparmor: advertise the tcp fast open fix is applied</title>
<updated>2026-06-24T05:15:15+00:00</updated>
<author>
<name>John Johansen</name>
<email>john.johansen@canonical.com</email>
</author>
<published>2026-06-22T23:34:13+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux.git/commit/?id=2f6701a5ce6257ae7a64ddc6d89d0a08d2a034f8'/>
<id>urn:sha1:2f6701a5ce6257ae7a64ddc6d89d0a08d2a034f8</id>
<content type='text'>
The fix for tcp-fast-open ensures that the connect permission is being
mediated correctly but it didn't add an artifact to the feature set to
advertise the fix is available. Add an artifact so that the test suite
can identify if the fix has not been properly applied or a new
unexpected regression has occurred.

Fixes: 4d587cd8a7215 ("apparmor: mediate the implicit connect of TCP fast open sendmsg")
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
</entry>
</feed>
