Merge tag 'selinux-pr-20201214' of git://git.kernel.org/pub/scm/linux/kernel/git...

Pull selinux updates from Paul Moore:
 "While we have a small number of SELinux patches for v5.11, there are a
  few changes worth highlighting:

   - Change the LSM network hooks to pass flowi_common structs instead
     of the parent flowi struct as the LSMs do not currently need the
     full flowi struct and they do not have enough information to use it
     safely (missing information on the address family).

     This patch was discussed both with Herbert Xu (representing team
     netdev) and James Morris (representing team
     LSMs-other-than-SELinux).

   - Fix how we handle errors in inode_doinit_with_dentry() so that we
     attempt to properly label the inode on following lookups instead of
     continuing to treat it as unlabeled.

   - Tweak the kernel logic around allowx, auditallowx, and dontauditx
     SELinux policy statements such that the auditx/dontauditx are
     effective even without the allowx statement.

  Everything passes our test suite"

* tag 'selinux-pr-20201214' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  lsm,selinux: pass flowi_common instead of flowi to the LSM hooks
  selinux: Fix fall-through warnings for Clang
  selinux: drop super_block backpointer from superblock_security_struct
  selinux: fix inode_doinit_with_dentry() LABEL_INVALID error handling
  selinux: allow dontauditx and auditallowx rules to take effect without allowx
  selinux: fix error initialization in inode_doinit_with_dentry()

diff --cc drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.c
Simple merge

diff --cc include/linux/lsm_hook_defs.h
Simple merge

diff --cc include/linux/security.h
index 77c7fe5,469273e..c35ea0f
--- 1/include/linux/security.h
--- 2/include/linux/security.h
+++ b/include/linux/security.h
@@@ -1356,10 -1355,11 +1356,11 @@@ int security_socket_getpeersec_dgram(st
  int security_sk_alloc(struct sock *sk, int family, gfp_t priority);
  void security_sk_free(struct sock *sk);
  void security_sk_clone(const struct sock *sk, struct sock *newsk);
- void security_sk_classify_flow(struct sock *sk, struct flowi *fl);
- void security_req_classify_flow(const struct request_sock *req, struct flowi *fl);
+ void security_sk_classify_flow(struct sock *sk, struct flowi_common *flic);
+ void security_req_classify_flow(const struct request_sock *req,
+                               struct flowi_common *flic);
  void security_sock_graft(struct sock*sk, struct socket *parent);
 -int security_inet_conn_request(struct sock *sk,
 +int security_inet_conn_request(const struct sock *sk,
                        struct sk_buff *skb, struct request_sock *req);
  void security_inet_csk_clone(struct sock *newsk,
                        const struct request_sock *req);

diff --cc net/dccp/ipv4.c
Simple merge

diff --cc net/dccp/ipv6.c
Simple merge

diff --cc net/ipv4/inet_connection_sock.c
Simple merge

diff --cc net/ipv4/syncookies.c
Simple merge

diff --cc net/ipv4/udp.c
Simple merge

diff --cc net/ipv6/af_inet6.c
Simple merge

diff --cc net/ipv6/icmp.c
Simple merge

diff --cc net/ipv6/netfilter/nf_reject_ipv6.c
Simple merge

diff --cc net/ipv6/syncookies.c
Simple merge

diff --cc net/ipv6/tcp_ipv6.c
Simple merge

diff --cc net/ipv6/udp.c
Simple merge

diff --cc net/netfilter/nf_synproxy_core.c
Simple merge

diff --cc net/xfrm/xfrm_state.c
Simple merge

diff --cc security/security.c
Simple merge

diff --cc security/selinux/hooks.c
Simple merge