Merge tag 'selinux-pr-20241112' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull selinux updates from Paul Moore:

 - Add support for netlink xperms

   Some time ago we added the concept of "xperms" to the SELinux policy
   so that we could write policy for individual ioctls, this builds upon
   this by using extending xperms to netlink so that we can write
   SELinux policy for individual netlnk message types and not rely on
   the fairly coarse read/write mapping tables we currently have.

   There are limitations involving generic netlink due to the
   multiplexing that is done, but it's no worse that what we currently
   have. As usual, more information can be found in the commit message.

 - Deprecate /sys/fs/selinux/user

   We removed the only known userspace use of this back in 2020 and now
   that several years have elapsed we're starting down the path of
   deprecating it in the kernel.

 - Cleanup the build under scripts/selinux

   A couple of patches to move the genheaders tool under
   security/selinux and correct our usage of kernel headers in the tools
   located under scripts/selinux. While these changes originated out of
   an effort to build Linux on different systems, they are arguably the
   right thing to do regardless.

 - Minor code cleanups and style fixes

   Not much to say here, two minor cleanup patches that came out of the
   netlink xperms work

* tag 'selinux-pr-20241112' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: Deprecate /sys/fs/selinux/user
  selinux: apply clang format to security/selinux/nlmsgtab.c
  selinux: streamline selinux_nlmsg_lookup()
  selinux: Add netlink xperm support
  selinux: move genheaders to security/selinux/
  selinux: do not include <linux/*.h> headers from host programs

7 files changed, 5 insertions, 170 deletions

diff --git a/scripts/remove-stale-files b/scripts/remove-stale-files
index 8fc55a749ccc..6e39fa8540df 100755
--- a/scripts/remove-stale-files
+++ b/scripts/remove-stale-files
@@ -20,6 +20,9 @@ set -e
 # yard. Stale files stay in this file for a while (for some release cycles?),
 # then will be really dead and removed from the code base entirely.
 
+# moved to security/selinux/genheaders
+rm -f scripts/selinux/genheaders/genheaders
+
 rm -f *.spec
 
 rm -f lib/test_fortify.log
diff --git a/scripts/selinux/Makefile b/scripts/selinux/Makefile
index 59494e14989b..4b1308fa5732 100644
--- a/scripts/selinux/Makefile
+++ b/scripts/selinux/Makefile
@@ -1,2 +1,2 @@
 # SPDX-License-Identifier: GPL-2.0-only
-subdir-y := mdp genheaders
+subdir-y := mdp
diff --git a/scripts/selinux/genheaders/.gitignore b/scripts/selinux/genheaders/.gitignore
deleted file mode 100644
index 5fcadd307908..000000000000
--- a/scripts/selinux/genheaders/.gitignore
+++ /dev/null
@@ -1,2 +0,0 @@
-# SPDX-License-Identifier: GPL-2.0-only
-genheaders
diff --git a/scripts/selinux/genheaders/Makefile b/scripts/selinux/genheaders/Makefile
deleted file mode 100644
index 1faf7f07e8db..000000000000
--- a/scripts/selinux/genheaders/Makefile
+++ /dev/null
@@ -1,5 +0,0 @@
-# SPDX-License-Identifier: GPL-2.0
-hostprogs-always-y += genheaders
-HOST_EXTRACFLAGS += \
-	-I$(srctree)/include/uapi -I$(srctree)/include \
-	-I$(srctree)/security/selinux/include
diff --git a/scripts/selinux/genheaders/genheaders.c b/scripts/selinux/genheaders/genheaders.c
deleted file mode 100644
index 15520806889e..000000000000
--- a/scripts/selinux/genheaders/genheaders.c
+++ /dev/null
@@ -1,157 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-
-/* NOTE: we really do want to use the kernel headers here */
-#define __EXPORTED_HEADERS__
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <errno.h>
-#include <ctype.h>
-
-struct security_class_mapping {
-	const char *name;
-	const char *perms[sizeof(unsigned) * 8 + 1];
-};
-
-#include "classmap.h"
-#include "initial_sid_to_string.h"
-
-const char *progname;
-
-static void usage(void)
-{
-	printf("usage: %s flask.h av_permissions.h\n", progname);
-	exit(1);
-}
-
-static char *stoupperx(const char *s)
-{
-	char *s2 = strdup(s);
-	char *p;
-
-	if (!s2) {
-		fprintf(stderr, "%s:  out of memory\n", progname);
-		exit(3);
-	}
-
-	for (p = s2; *p; p++)
-		*p = toupper(*p);
-	return s2;
-}
-
-int main(int argc, char *argv[])
-{
-	int i, j;
-	int isids_len;
-	FILE *fout;
-
-	progname = argv[0];
-
-	if (argc < 3)
-		usage();
-
-	fout = fopen(argv[1], "w");
-	if (!fout) {
-		fprintf(stderr, "Could not open %s for writing:  %s\n",
-			argv[1], strerror(errno));
-		exit(2);
-	}
-
-	fprintf(fout, "/* This file is automatically generated.  Do not edit. */\n");
-	fprintf(fout, "#ifndef _SELINUX_FLASK_H_\n#define _SELINUX_FLASK_H_\n\n");
-
-	for (i = 0; secclass_map[i].name; i++) {
-		char *name = stoupperx(secclass_map[i].name);
-
-		fprintf(fout, "#define SECCLASS_%-39s %2d\n", name, i+1);
-		free(name);
-	}
-
-	fprintf(fout, "\n");
-
-	isids_len = sizeof(initial_sid_to_string) / sizeof(char *);
-	for (i = 1; i < isids_len; i++) {
-		const char *s = initial_sid_to_string[i];
-		if (s) {
-			char *sidname = stoupperx(s);
-
-			fprintf(fout, "#define SECINITSID_%-39s %2d\n", sidname, i);
-			free(sidname);
-		}
-	}
-	fprintf(fout, "\n#define SECINITSID_NUM %d\n", i-1);
-	fprintf(fout, "\nstatic inline bool security_is_socket_class(u16 kern_tclass)\n");
-	fprintf(fout, "{\n");
-	fprintf(fout, "\tbool sock = false;\n\n");
-	fprintf(fout, "\tswitch (kern_tclass) {\n");
-	for (i = 0; secclass_map[i].name; i++) {
-		static char s[] = "SOCKET";
-		int len, l;
-		char *name = stoupperx(secclass_map[i].name);
-
-		len = strlen(name);
-		l = sizeof(s) - 1;
-		if (len >= l && memcmp(name + len - l, s, l) == 0)
-			fprintf(fout, "\tcase SECCLASS_%s:\n", name);
-		free(name);
-	}
-	fprintf(fout, "\t\tsock = true;\n");
-	fprintf(fout, "\t\tbreak;\n");
-	fprintf(fout, "\tdefault:\n");
-	fprintf(fout, "\t\tbreak;\n");
-	fprintf(fout, "\t}\n\n");
-	fprintf(fout, "\treturn sock;\n");
-	fprintf(fout, "}\n");
-
-	fprintf(fout, "\n#endif\n");
-
-	if (fclose(fout) != 0) {
-		fprintf(stderr, "Could not successfully close %s:  %s\n",
-			argv[1], strerror(errno));
-		exit(4);
-	}
-
-	fout = fopen(argv[2], "w");
-	if (!fout) {
-		fprintf(stderr, "Could not open %s for writing:  %s\n",
-			argv[2], strerror(errno));
-		exit(5);
-	}
-
-	fprintf(fout, "/* This file is automatically generated.  Do not edit. */\n");
-	fprintf(fout, "#ifndef _SELINUX_AV_PERMISSIONS_H_\n#define _SELINUX_AV_PERMISSIONS_H_\n\n");
-
-	for (i = 0; secclass_map[i].name; i++) {
-		const struct security_class_mapping *map = &secclass_map[i];
-		int len;
-		char *name = stoupperx(map->name);
-
-		len = strlen(name);
-		for (j = 0; map->perms[j]; j++) {
-			char *permname;
-
-			if (j >= 32) {
-				fprintf(stderr, "Too many permissions to fit into an access vector at (%s, %s).\n",
-					map->name, map->perms[j]);
-				exit(5);
-			}
-			permname = stoupperx(map->perms[j]);
-			fprintf(fout, "#define %s__%-*s 0x%08xU\n", name,
-				39-len, permname, 1U<<j);
-			free(permname);
-		}
-		free(name);
-	}
-
-	fprintf(fout, "\n#endif\n");
-
-	if (fclose(fout) != 0) {
-		fprintf(stderr, "Could not successfully close %s:  %s\n",
-			argv[2], strerror(errno));
-		exit(6);
-	}
-
-	exit(0);
-}
diff --git a/scripts/selinux/mdp/Makefile b/scripts/selinux/mdp/Makefile
index d61058ddd15c..673782e3212f 100644
--- a/scripts/selinux/mdp/Makefile
+++ b/scripts/selinux/mdp/Makefile
@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: GPL-2.0
 hostprogs-always-y += mdp
 HOST_EXTRACFLAGS += \
-	-I$(srctree)/include/uapi -I$(srctree)/include \
+	-I$(srctree)/include \
 	-I$(srctree)/security/selinux/include -I$(objtree)/include
 
 clean-files	:= policy.* file_contexts
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
index 1415604c3d24..52365921c043 100644
--- a/scripts/selinux/mdp/mdp.c
+++ b/scripts/selinux/mdp/mdp.c
@@ -11,10 +11,6 @@
  * Authors: Serge E. Hallyn <serue@us.ibm.com>
  */
 
-
-/* NOTE: we really do want to use the kernel headers here */
-#define __EXPORTED_HEADERS__
-
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>