The following changes since commit 19272b37aa4f83ca52bdf9c16d5d81bdd1354494:
Linux 6.16-rc1 (2025-06-08 13:44:43 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs.git tags/pull-securityfs
for you to fetch changes up to f42b8d78dee77107245ec5beee3eb01915bcae7f:
tpm: don't bother with removal of files in directory we'll be removing (2025-06-17 18:11:01 -0400)
----------------------------------------------------------------
securityfs cleanups and fixes:
* one extra reference is enough to pin a dentry down; no need
for two. Switch to regular scheme, similar to shmem, debugfs,
etc. - that fixes securityfs_recursive_remove() dentry leak,
among other things.
* we need to have the filesystem pinned to prevent the contents
disappearing; what we do not need is pinning it for each file.
Doing that only for files and directories in the root is enough.
* the previous two changes allow to get rid of the racy kludges
in efi_secret_unlink(), where we can use simple_unlink() instead
of securityfs_remove(). Which does not require unlocking and
relocking the parent, with all deadlocks that invites.
* Make securityfs_remove() take the entire subtree out, turning
securityfs_recursive_remove() into its alias. Makes a lot more
sense for callers and fixes a mount leak, while we are at it.
* Making securityfs_remove() remove the entire subtree allows for
much simpler life in most of the users - efi_secret, ima_fs,
evm, ipe, tmp get cleaner. I hadn't touched apparmor use of
securityfs, but I suspect that it would be useful there as well.
----------------------------------------------------------------
Al Viro (10):
securityfs: don't pin dentries twice, once is enough...
securityfs: pin filesystem only for objects directly in root
fix locking in efi_secret_unlink()
make securityfs_remove() remove the entire subtree
efi_secret: clean securityfs use up
ima_fs: don't bother with removal of files in directory we'll be removing
ima_fs: get rid of lookup-by-dentry stuff
evm_secfs: clear securityfs interactions
ipe: don't bother with removal of files in directory we'll be removing
tpm: don't bother with removal of files in directory we'll be removing
drivers/char/tpm/eventlog/common.c | 46 +++-------
drivers/virt/coco/efi_secret/efi_secret.c | 47 ++--------
include/linux/security.h | 3 +-
include/linux/tpm.h | 2 +-
security/inode.c | 62 +++++---------
security/integrity/evm/evm_secfs.c | 15 ++--
security/integrity/ima/ima_fs.c | 137 +++++++-----------------------
security/ipe/fs.c | 32 +++----
security/ipe/policy_fs.c | 4 +-
9 files changed, 97 insertions(+), 251 deletions(-)
