* [GIT PULL] Security subsystem changes for 4.3
@ 2015-09-01 0:00 James Morris
2015-09-01 4:30 ` Stephen Rothwell
2015-09-08 20:32 ` Linus Torvalds
0 siblings, 2 replies; 4+ messages in thread
From: James Morris @ 2015-09-01 0:00 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, linux-security-module
Highlights:
o PKCS#7 support added to support signed kexec, also utilized for module
signing. See comments in 3f1e1bea.
** NOTE: this requires linking against the OpenSSL library, which must
be installed, e.g. the openssl-devel on Fedora **
o Smack: add IPv6 host labeling; ignore labels on kernel threads;
support smack labeling mounts which use binary mount data
o SELinux: add ioctl whitelisting (see
http://kernsec.org/files/lss2015/vanderstoep.pdf); fix mprotect
PROT_EXEC regression caused by mm change
o Seccomp: add ptrace options for suspend/resume
Please pull.
---
The following changes since commit e5aeced6bcec5a110e6dfcb78acc203dbe895b59:
Merge tag 'spi-v4.3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi (2015-08-31 15:55:49 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next
Casey Schaufler (3):
Smack: IPv6 host labeling
Smack: Three symbols that should be static
Smack - Fix build error with bringup unconfigured
David Howells (28):
selinux: Create a common helper to determine an inode label [ver #3]
ASN.1: Fix handling of CHOICE in ASN.1 compiler
ASN.1: Fix actions on CHOICE elements with IMPLICIT tags
ASN.1: Fix non-match detection failure on data overrun
ASN.1: Handle 'ANY OPTIONAL' in grammar
ASN.1: Add an ASN.1 compiler option to dump the element tree
ASN.1: Copy string names to tokens in ASN.1 compiler
X.509: Extract both parts of the AuthorityKeyIdentifier
X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier
PKCS#7: Allow detached data to be supplied for signature checking purposes
MODSIGN: Provide a utility to append a PKCS#7 signature to a module
MODSIGN: Use PKCS#7 messages as module signatures
system_keyring.c doesn't need to #include module-internal.h
MODSIGN: Extract the blob PKCS#7 signature verifier from module signing
MAINTAINERS: The keyrings mailing list has moved
PKCS#7: Check content type and versions
X.509: Change recorded SKID & AKID to not include Subject or Issuer
PKCS#7: Support CMS messages also [RFC5652]
sign-file: Generate CMS message as signature instead of PKCS#7
PKCS#7: Improve and export the X.509 ASN.1 time object decoder
KEYS: Add a name for PKEY_ID_PKCS7
PKCS#7: Appropriately restrict authenticated attributes and content type
sign-file: Document dependency on OpenSSL devel libraries
PKCS#7: Add MODULE_LICENSE() to test module
sign-file: Fix warning about BIO_reset() return value
Move certificate handling to its own directory
Documentation/Changes: Now need OpenSSL devel packages for module signing
PKCS#7: Add OIDs for sha224, sha284 and sha512 hash algos and use them
David Woodhouse (11):
modsign: Abort modules_install when signing fails
modsign: Allow password to be specified for signing key
modsign: Allow signing key to be PKCS#11
modsign: Allow external signing key to be specified
modsign: Extract signing cert from CONFIG_MODULE_SIG_KEY if needed
modsign: Use single PEM file for autogenerated key
modsign: Add explicit CONFIG_SYSTEM_TRUSTED_KEYS option
extract-cert: Cope with multiple X.509 certificates in a single file
modsign: Use extract-cert to process CONFIG_SYSTEM_TRUSTED_KEYS
modsign: Use if_changed rule for extracting cert from module signing key
modsign: Handle signing key in source tree
James Morris (7):
Merge tag 'seccomp-next' of git://git.kernel.org/.../kees/linux into next
Merge tag 'asn1-fixes-20150805' of git://git.kernel.org/.../dhowells/linux-fs into next
Merge branch 'smack-for-4.3' of https://github.com/cschaufler/smack-next into next
Merge tag 'modsign-pkcs7-20150812-3' of git://git.kernel.org/.../dhowells/linux-fs into next
Merge branch 'smack-for-4.3' of https://github.com/cschaufler/smack-next into next
Merge branch 'next' of git://git.infradead.org/users/pcmoore/selinux into next
Merge tag 'modsign-pkcs7-20150814' of git://git.kernel.org/.../dhowells/linux-fs into ra-next
Jeff Vander Stoep (2):
security: add ioctl specific auditing to lsm_audit
selinux: extended permissions for ioctls
Kees Cook (2):
seccomp: swap hard-coded zeros to defined name
Yama: remove needless CONFIG_SECURITY_YAMA_STACKED
Laurent Bigonville (1):
selinux: explicitly declare the role "base_r"
Luis R. Rodriguez (1):
sign-file: Add option to only create signature file
Paul Gortmaker (1):
scripts: add extract-cert and sign-file to .gitignore
Pranith Kumar (1):
seccomp: Replace smp_read_barrier_depends() with lockless_dereference()
Roman Kubiak (1):
Kernel threads excluded from smack checks
Stephen Smalley (2):
selinux: initialize sock security class to default value
selinux: Augment BUG_ON assertion for secclass_map.
Tycho Andersen (1):
seccomp: add ptrace options for suspend/resume
Vivek Trivedi (1):
smack: allow mount opts setting over filesystems with binary mount data
Waiman Long (1):
selinux: reduce locking overhead in inode_free_security()
kbuild test robot (1):
sysfs: fix simple_return.cocci warnings
.gitignore | 1 +
Documentation/Changes | 17 +-
Documentation/kbuild/kbuild.txt | 5 +
Documentation/module-signing.txt | 56 +++-
Documentation/security/Smack.txt | 27 ++-
Documentation/security/Yama.txt | 10 +-
MAINTAINERS | 21 +-
Makefile | 13 +-
arch/mips/configs/pistachio_defconfig | 1 -
arch/x86/kernel/kexec-bzimage64.c | 4 +-
certs/Kconfig | 42 +++
certs/Makefile | 94 ++++++
{kernel => certs}/system_certificates.S | 5 +-
{kernel => certs}/system_keyring.c | 53 +++-
crypto/Kconfig | 1 +
crypto/asymmetric_keys/Makefile | 8 +-
crypto/asymmetric_keys/asymmetric_type.c | 11 +
crypto/asymmetric_keys/mscode_parser.c | 9 +
crypto/asymmetric_keys/pkcs7.asn1 | 22 +-
crypto/asymmetric_keys/pkcs7_key_type.c | 17 +-
crypto/asymmetric_keys/pkcs7_parser.c | 277 +++++++++++++++-
crypto/asymmetric_keys/pkcs7_parser.h | 20 +-
crypto/asymmetric_keys/pkcs7_trust.c | 10 +-
crypto/asymmetric_keys/pkcs7_verify.c | 145 +++++++-
crypto/asymmetric_keys/public_key.c | 1 +
crypto/asymmetric_keys/verify_pefile.c | 7 +-
crypto/asymmetric_keys/x509_akid.asn1 | 35 ++
crypto/asymmetric_keys/x509_cert_parser.c | 231 +++++++++-----
crypto/asymmetric_keys/x509_parser.h | 12 +-
crypto/asymmetric_keys/x509_public_key.c | 95 ++++--
include/crypto/pkcs7.h | 13 +-
include/crypto/public_key.h | 18 +-
include/keys/system_keyring.h | 7 +
include/linux/asn1_ber_bytecode.h | 16 +-
include/linux/lsm_audit.h | 7 +
include/linux/lsm_hooks.h | 6 +-
include/linux/oid_registry.h | 7 +-
include/linux/ptrace.h | 1 +
include/linux/seccomp.h | 2 +-
include/linux/verify_pefile.h | 6 +-
include/uapi/linux/ptrace.h | 6 +-
init/Kconfig | 40 ++-
kernel/Makefile | 97 ------
kernel/module_signing.c | 213 ++-----------
kernel/ptrace.c | 13 +
kernel/seccomp.c | 17 +-
lib/asn1_decoder.c | 27 ++-
scripts/.gitignore | 2 +
scripts/Kbuild.include | 51 +++
scripts/Makefile | 4 +
scripts/Makefile.modinst | 2 +-
scripts/asn1_compiler.c | 248 +++++++++------
scripts/extract-cert.c | 166 ++++++++++
scripts/selinux/mdp/mdp.c | 1 +
scripts/sign-file | 421 ------------------------
scripts/sign-file.c | 260 +++++++++++++++
security/Kconfig | 5 -
security/lsm_audit.c | 15 +
security/security.c | 11 +-
security/selinux/avc.c | 418 +++++++++++++++++++++++-
security/selinux/hooks.c | 147 ++++++---
security/selinux/include/avc.h | 6 +
security/selinux/include/security.h | 32 ++-
security/selinux/ss/avtab.c | 104 +++++-
security/selinux/ss/avtab.h | 33 ++-
security/selinux/ss/conditional.c | 32 ++-
security/selinux/ss/conditional.h | 6 +-
security/selinux/ss/policydb.c | 5 +
security/selinux/ss/services.c | 213 +++++++++++--
security/selinux/ss/services.h | 6 +
security/smack/smack.h | 66 ++++-
security/smack/smack_access.c | 6 +
security/smack/smack_lsm.c | 511 ++++++++++++++++++++++-------
security/smack/smackfs.c | 436 ++++++++++++++++++++-----
security/yama/Kconfig | 9 +-
security/yama/yama_lsm.c | 32 +--
76 files changed, 3588 insertions(+), 1406 deletions(-)
create mode 100644 certs/Kconfig
create mode 100644 certs/Makefile
rename {kernel => certs}/system_certificates.S (80%)
rename {kernel => certs}/system_keyring.c (68%)
create mode 100644 crypto/asymmetric_keys/x509_akid.asn1
create mode 100644 scripts/extract-cert.c
delete mode 100755 scripts/sign-file
create mode 100755 scripts/sign-file.c
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [GIT PULL] Security subsystem changes for 4.3
2015-09-01 0:00 [GIT PULL] Security subsystem changes for 4.3 James Morris
@ 2015-09-01 4:30 ` Stephen Rothwell
2015-09-02 0:05 ` James Morris
2015-09-08 20:32 ` Linus Torvalds
1 sibling, 1 reply; 4+ messages in thread
From: Stephen Rothwell @ 2015-09-01 4:30 UTC (permalink / raw)
To: Linus Torvalds; +Cc: James Morris, linux-kernel, linux-security-module
Hi Linus,
On Tue, 1 Sep 2015 10:00:09 +1000 (AEST) James Morris <jmorris@namei.org> wrote:
>
> Highlights:
>
> o PKCS#7 support added to support signed kexec, also utilized for module
> signing. See comments in 3f1e1bea.
>
> ** NOTE: this requires linking against the OpenSSL library, which must
> be installed, e.g. the openssl-devel on Fedora **
>
> o Smack: add IPv6 host labeling; ignore labels on kernel threads;
> support smack labeling mounts which use binary mount data
>
> o SELinux: add ioctl whitelisting (see
> http://kernsec.org/files/lss2015/vanderstoep.pdf); fix mprotect
> PROT_EXEC regression caused by mm change
>
> o Seccomp: add ptrace options for suspend/resume
>
>
> Please pull.
>
> ---
>
> The following changes since commit e5aeced6bcec5a110e6dfcb78acc203dbe895b59:
>
> Merge tag 'spi-v4.3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi (2015-08-31 15:55:49 -0700)
>
> are available in the git repository at:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next
This has one commit that has not been in linux-next. Not judging
anything about it, just noting.
> David Howells (28):
> PKCS#7: Add OIDs for sha224, sha284 and sha512 hash algos and use them
--
Cheers,
Stephen Rothwell sfr@canb.auug.org.au
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [GIT PULL] Security subsystem changes for 4.3
2015-09-01 4:30 ` Stephen Rothwell
@ 2015-09-02 0:05 ` James Morris
0 siblings, 0 replies; 4+ messages in thread
From: James Morris @ 2015-09-02 0:05 UTC (permalink / raw)
To: Stephen Rothwell; +Cc: Linus Torvalds, linux-kernel, linux-security-module
On Tue, 1 Sep 2015, Stephen Rothwell wrote:
> This has one commit that has not been in linux-next. Not judging
> anything about it, just noting.
>
> > David Howells (28):
> > PKCS#7: Add OIDs for sha224, sha284 and sha512 hash algos and use them
This is a minor bugfix which was sent out just before Linus dropped 4.2.
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [GIT PULL] Security subsystem changes for 4.3
2015-09-01 0:00 [GIT PULL] Security subsystem changes for 4.3 James Morris
2015-09-01 4:30 ` Stephen Rothwell
@ 2015-09-08 20:32 ` Linus Torvalds
1 sibling, 0 replies; 4+ messages in thread
From: Linus Torvalds @ 2015-09-08 20:32 UTC (permalink / raw)
To: James Morris; +Cc: Linux Kernel Mailing List, LSM List
On Mon, Aug 31, 2015 at 5:00 PM, James Morris <jmorris@namei.org> wrote:
> Highlights:
> o PKCS#7 support added to support signed kexec, also utilized for module
> signing.
So when testing this, I realized that when somebody tries to load a
module with an invalid key, there doesn't seem to be any logs left
about that.
I don't think this is new, it's just that the certificate generation
changes made me test loading a module with the wrong cert, and while
module loading itself failed gracefully and correctly with ENOKEY
("Required key not available"), I also ended up checking dmesg,
because I - clearly incorrectly - thought that we'd warn the sysadmin
about this too).
So I think that module loading failures due to lack of keys really
should raise a few flags. Maybe the system is secure from some
attacks, but you'd still want to know that somebody tried to do
something fishy.
We *do* end up warning ("module verification failed") and tainting the
kernel if we end up loading the module despite the key failing, but
the situation I'm talking about is the "sig_enforce" case, which just
causes a module loading failure with no system warning.
Linus
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-09-08 20:32 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-09-01 0:00 [GIT PULL] Security subsystem changes for 4.3 James Morris
2015-09-01 4:30 ` Stephen Rothwell
2015-09-02 0:05 ` James Morris
2015-09-08 20:32 ` Linus Torvalds
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.