Merge tag 'selinux-pr-20250121' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull selinux updates from Paul Moore:

 - Extended permissions supported in conditional policy

   The SELinux extended permissions, aka "xperms", allow security admins
   to target individuals ioctls, and recently netlink messages, with
   their SELinux policy. Adding support for conditional policies allows
   admins to toggle the granular xperms using SELinux booleans, helping
   pave the way for greater use of xperms in general purpose SELinux
   policies. This change bumps the maximum SELinux policy version to 34.

 - Fix a SCTP/SELinux error return code inconsistency

   Depending on the loaded SELinux policy, specifically it's
   EXTSOCKCLASS support, the bind(2) LSM/SELinux hook could return
   different error codes due to the SELinux code checking the socket's
   SELinux object class (which can vary depending on EXTSOCKCLASS) and
   not the socket's sk_protocol field. We fix this by doing the obvious,
   and looking at the sock->sk_protocol field instead of the object
   class.

 - Makefile fixes to properly cleanup av_permissions.h

   Add av_permissions.h to "targets" so that it is properly cleaned up
   using the kbuild infrastructure.

 - A number of smaller improvements by Christian Göttsche

   A variety of straightforward changes to reduce code duplication,
   reduce pointer lookups, migrate void pointers to defined types,
   simplify code, constify function parameters, and correct iterator
   types.

* tag 'selinux-pr-20250121' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: make more use of str_read() when loading the policy
  selinux: avoid unnecessary indirection in struct level_datum
  selinux: use known type instead of void pointer
  selinux: rename comparison functions for clarity
  selinux: rework match_ipv6_addrmask()
  selinux: constify and reconcile function parameter names
  selinux: avoid using types indicating user space interaction
  selinux: supply missing field initializers
  selinux: add netlink nlmsg_type audit message
  selinux: add support for xperms in conditional policies
  selinux: Fix SCTP error inconsistency in selinux_socket_bind()
  selinux: use native iterator types
  selinux: add generated av_permissions.h to targets

1 files changed, 4 insertions, 3 deletions

diff --git a/security/selinux/ss/ebitmap.h b/security/selinux/ss/ebitmap.h
index ba2ac3da1153..c9569998f287 100644
--- a/security/selinux/ss/ebitmap.h
+++ b/security/selinux/ss/ebitmap.h
@@ -120,7 +120,7 @@ static inline void ebitmap_node_clr_bit(struct ebitmap_node *n, u32 bit)
 	     (bit) < ebitmap_length(e);               \
 	     (bit) = ebitmap_next_positive(e, &(n), bit))
 
-int ebitmap_cmp(const struct ebitmap *e1, const struct ebitmap *e2);
+bool ebitmap_equal(const struct ebitmap *e1, const struct ebitmap *e2);
 int ebitmap_cpy(struct ebitmap *dst, const struct ebitmap *src);
 int ebitmap_and(struct ebitmap *dst, const struct ebitmap *e1,
 		const struct ebitmap *e2);
@@ -129,8 +129,9 @@ int ebitmap_contains(const struct ebitmap *e1, const struct ebitmap *e2,
 int ebitmap_get_bit(const struct ebitmap *e, u32 bit);
 int ebitmap_set_bit(struct ebitmap *e, u32 bit, int value);
 void ebitmap_destroy(struct ebitmap *e);
-int ebitmap_read(struct ebitmap *e, void *fp);
-int ebitmap_write(const struct ebitmap *e, void *fp);
+struct policy_file;
+int ebitmap_read(struct ebitmap *e, struct policy_file *fp);
+int ebitmap_write(const struct ebitmap *e, struct policy_file *fp);
 u32 ebitmap_hash(const struct ebitmap *e, u32 hash);
 
 #ifdef CONFIG_NETLABEL