[GIT PULL] integrity subsystem updates for v5.6

* [GIT PULL] integrity subsystem updates for v5.6
@ 2020-01-28 20:09 Mimi Zohar
  2020-01-29  3:00 ` pr-tracker-bot
  0 siblings, 1 reply; 2+ messages in thread
From: Mimi Zohar @ 2020-01-28 20:09 UTC (permalink / raw)
  To: Linus Torvalds; +Cc: linux-integrity, linux-kernel

Hi Linus,

Two new features - measuring certificates and querying IMA for a file
hash - and three bug fixes are included in this pull request.

- Measuring certificates is like the rest of IMA, based on policy, but
requires loading a custom policy.  Certificates loaded onto a keyring,
for example during early boot, before a custom policy has been loaded,
are queued and only processed after loading the custom policy.

- IMA calculates and caches files hashes.  Other kernel subsystems,
and possibly kernel modules, are interested in accessing these cached
file hashes.  

The bug fixes prevents classifying a file short read (e.g. shutdown)
as an invalid file signature, adds a missing blank when displaying the
securityfs policy rules containing LSM labels, and, lastly, fixes the
handling of the IMA policy information for unknown LSM labels.

thanks,

Mimi

The following changes since commit e42617b825f8073569da76dc4510bfa019b1c35a:

  Linux 5.5-rc1 (2019-12-08 14:57:55 -0800)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity

for you to fetch changes up to d54e17b4066612d88c4ef3e5fb3115f12733763d:

  Merge branch 'next-integrity.defer-measuring-keys' into next-integrity (2020-01-23 17:24:35 -0500)

----------------------------------------------------------------
Clay Chang (1):
      ima: Add a space after printing LSM rules for readability

Florent Revest (1):
      ima: add the ability to query the cached hash of a given file

Janne Karhunen (1):
      ima: ima/lsm policy rule loading logic bug fixes

Lakshmi Ramasubramanian (11):
      IMA: Check IMA policy flag
      IMA: Add KEY_CHECK func to measure keys
      IMA: Define an IMA hook to measure keys
      KEYS: Call the IMA hook to measure keys
      IMA: Add support to limit measuring keys
      IMA: Read keyrings= option from the IMA policy
      IMA: fix measuring asymmetric keys Kconfig
      IMA: pre-allocate buffer to hold keyrings string
      IMA: Define workqueue for early boot key measurements
      IMA: Call workqueue functions to measure queued keys
      IMA: Defined delayed workqueue to free the queued keys

Mimi Zohar (2):
      Merge branch 'next-integrity.measure-keys' into next-integrity
      Merge branch 'next-integrity.defer-measuring-keys' into next-integrity

Patrick Callaghan (1):
      ima: avoid appraise error for hash calc interrupt

 Documentation/ABI/testing/ima_policy         |  16 ++-
 include/linux/ima.h                          |  20 ++++
 security/integrity/ima/Kconfig               |  12 ++
 security/integrity/ima/Makefile              |   2 +
 security/integrity/ima/ima.h                 |  33 +++++-
 security/integrity/ima/ima_api.c             |   8 +-
 security/integrity/ima/ima_appraise.c        |   4 +-
 security/integrity/ima/ima_asymmetric_keys.c |  66 +++++++++++
 security/integrity/ima/ima_crypto.c          |   4 +-
 security/integrity/ima/ima_init.c            |   8 +-
 security/integrity/ima/ima_main.c            |  61 +++++++++-
 security/integrity/ima/ima_policy.c          | 165 ++++++++++++++++++++++----
 security/integrity/ima/ima_queue_keys.c      | 171 +++++++++++++++++++++++++++
 security/keys/key.c                          |  10 ++
 14 files changed, 540 insertions(+), 40 deletions(-)
 create mode 100644 security/integrity/ima/ima_asymmetric_keys.c
 create mode 100644 security/integrity/ima/ima_queue_keys.c

^ permalink raw reply	[flat|nested] 2+ messages in thread