From: James Morris <jmorris@namei.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org
Subject: [GIT PULL] Security subsystem changes for 4.3
Date: Tue, 1 Sep 2015 10:00:09 +1000 (AEST) [thread overview]
Message-ID: <alpine.LRH.2.20.1509010942230.19234@namei.org> (raw)
Highlights:
o PKCS#7 support added to support signed kexec, also utilized for module
signing. See comments in 3f1e1bea.
** NOTE: this requires linking against the OpenSSL library, which must
be installed, e.g. the openssl-devel on Fedora **
o Smack: add IPv6 host labeling; ignore labels on kernel threads;
support smack labeling mounts which use binary mount data
o SELinux: add ioctl whitelisting (see
http://kernsec.org/files/lss2015/vanderstoep.pdf); fix mprotect
PROT_EXEC regression caused by mm change
o Seccomp: add ptrace options for suspend/resume
Please pull.
---
The following changes since commit e5aeced6bcec5a110e6dfcb78acc203dbe895b59:
Merge tag 'spi-v4.3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi (2015-08-31 15:55:49 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next
Casey Schaufler (3):
Smack: IPv6 host labeling
Smack: Three symbols that should be static
Smack - Fix build error with bringup unconfigured
David Howells (28):
selinux: Create a common helper to determine an inode label [ver #3]
ASN.1: Fix handling of CHOICE in ASN.1 compiler
ASN.1: Fix actions on CHOICE elements with IMPLICIT tags
ASN.1: Fix non-match detection failure on data overrun
ASN.1: Handle 'ANY OPTIONAL' in grammar
ASN.1: Add an ASN.1 compiler option to dump the element tree
ASN.1: Copy string names to tokens in ASN.1 compiler
X.509: Extract both parts of the AuthorityKeyIdentifier
X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier
PKCS#7: Allow detached data to be supplied for signature checking purposes
MODSIGN: Provide a utility to append a PKCS#7 signature to a module
MODSIGN: Use PKCS#7 messages as module signatures
system_keyring.c doesn't need to #include module-internal.h
MODSIGN: Extract the blob PKCS#7 signature verifier from module signing
MAINTAINERS: The keyrings mailing list has moved
PKCS#7: Check content type and versions
X.509: Change recorded SKID & AKID to not include Subject or Issuer
PKCS#7: Support CMS messages also [RFC5652]
sign-file: Generate CMS message as signature instead of PKCS#7
PKCS#7: Improve and export the X.509 ASN.1 time object decoder
KEYS: Add a name for PKEY_ID_PKCS7
PKCS#7: Appropriately restrict authenticated attributes and content type
sign-file: Document dependency on OpenSSL devel libraries
PKCS#7: Add MODULE_LICENSE() to test module
sign-file: Fix warning about BIO_reset() return value
Move certificate handling to its own directory
Documentation/Changes: Now need OpenSSL devel packages for module signing
PKCS#7: Add OIDs for sha224, sha284 and sha512 hash algos and use them
David Woodhouse (11):
modsign: Abort modules_install when signing fails
modsign: Allow password to be specified for signing key
modsign: Allow signing key to be PKCS#11
modsign: Allow external signing key to be specified
modsign: Extract signing cert from CONFIG_MODULE_SIG_KEY if needed
modsign: Use single PEM file for autogenerated key
modsign: Add explicit CONFIG_SYSTEM_TRUSTED_KEYS option
extract-cert: Cope with multiple X.509 certificates in a single file
modsign: Use extract-cert to process CONFIG_SYSTEM_TRUSTED_KEYS
modsign: Use if_changed rule for extracting cert from module signing key
modsign: Handle signing key in source tree
James Morris (7):
Merge tag 'seccomp-next' of git://git.kernel.org/.../kees/linux into next
Merge tag 'asn1-fixes-20150805' of git://git.kernel.org/.../dhowells/linux-fs into next
Merge branch 'smack-for-4.3' of https://github.com/cschaufler/smack-next into next
Merge tag 'modsign-pkcs7-20150812-3' of git://git.kernel.org/.../dhowells/linux-fs into next
Merge branch 'smack-for-4.3' of https://github.com/cschaufler/smack-next into next
Merge branch 'next' of git://git.infradead.org/users/pcmoore/selinux into next
Merge tag 'modsign-pkcs7-20150814' of git://git.kernel.org/.../dhowells/linux-fs into ra-next
Jeff Vander Stoep (2):
security: add ioctl specific auditing to lsm_audit
selinux: extended permissions for ioctls
Kees Cook (2):
seccomp: swap hard-coded zeros to defined name
Yama: remove needless CONFIG_SECURITY_YAMA_STACKED
Laurent Bigonville (1):
selinux: explicitly declare the role "base_r"
Luis R. Rodriguez (1):
sign-file: Add option to only create signature file
Paul Gortmaker (1):
scripts: add extract-cert and sign-file to .gitignore
Pranith Kumar (1):
seccomp: Replace smp_read_barrier_depends() with lockless_dereference()
Roman Kubiak (1):
Kernel threads excluded from smack checks
Stephen Smalley (2):
selinux: initialize sock security class to default value
selinux: Augment BUG_ON assertion for secclass_map.
Tycho Andersen (1):
seccomp: add ptrace options for suspend/resume
Vivek Trivedi (1):
smack: allow mount opts setting over filesystems with binary mount data
Waiman Long (1):
selinux: reduce locking overhead in inode_free_security()
kbuild test robot (1):
sysfs: fix simple_return.cocci warnings
.gitignore | 1 +
Documentation/Changes | 17 +-
Documentation/kbuild/kbuild.txt | 5 +
Documentation/module-signing.txt | 56 +++-
Documentation/security/Smack.txt | 27 ++-
Documentation/security/Yama.txt | 10 +-
MAINTAINERS | 21 +-
Makefile | 13 +-
arch/mips/configs/pistachio_defconfig | 1 -
arch/x86/kernel/kexec-bzimage64.c | 4 +-
certs/Kconfig | 42 +++
certs/Makefile | 94 ++++++
{kernel => certs}/system_certificates.S | 5 +-
{kernel => certs}/system_keyring.c | 53 +++-
crypto/Kconfig | 1 +
crypto/asymmetric_keys/Makefile | 8 +-
crypto/asymmetric_keys/asymmetric_type.c | 11 +
crypto/asymmetric_keys/mscode_parser.c | 9 +
crypto/asymmetric_keys/pkcs7.asn1 | 22 +-
crypto/asymmetric_keys/pkcs7_key_type.c | 17 +-
crypto/asymmetric_keys/pkcs7_parser.c | 277 +++++++++++++++-
crypto/asymmetric_keys/pkcs7_parser.h | 20 +-
crypto/asymmetric_keys/pkcs7_trust.c | 10 +-
crypto/asymmetric_keys/pkcs7_verify.c | 145 +++++++-
crypto/asymmetric_keys/public_key.c | 1 +
crypto/asymmetric_keys/verify_pefile.c | 7 +-
crypto/asymmetric_keys/x509_akid.asn1 | 35 ++
crypto/asymmetric_keys/x509_cert_parser.c | 231 +++++++++-----
crypto/asymmetric_keys/x509_parser.h | 12 +-
crypto/asymmetric_keys/x509_public_key.c | 95 ++++--
include/crypto/pkcs7.h | 13 +-
include/crypto/public_key.h | 18 +-
include/keys/system_keyring.h | 7 +
include/linux/asn1_ber_bytecode.h | 16 +-
include/linux/lsm_audit.h | 7 +
include/linux/lsm_hooks.h | 6 +-
include/linux/oid_registry.h | 7 +-
include/linux/ptrace.h | 1 +
include/linux/seccomp.h | 2 +-
include/linux/verify_pefile.h | 6 +-
include/uapi/linux/ptrace.h | 6 +-
init/Kconfig | 40 ++-
kernel/Makefile | 97 ------
kernel/module_signing.c | 213 ++-----------
kernel/ptrace.c | 13 +
kernel/seccomp.c | 17 +-
lib/asn1_decoder.c | 27 ++-
scripts/.gitignore | 2 +
scripts/Kbuild.include | 51 +++
scripts/Makefile | 4 +
scripts/Makefile.modinst | 2 +-
scripts/asn1_compiler.c | 248 +++++++++------
scripts/extract-cert.c | 166 ++++++++++
scripts/selinux/mdp/mdp.c | 1 +
scripts/sign-file | 421 ------------------------
scripts/sign-file.c | 260 +++++++++++++++
security/Kconfig | 5 -
security/lsm_audit.c | 15 +
security/security.c | 11 +-
security/selinux/avc.c | 418 +++++++++++++++++++++++-
security/selinux/hooks.c | 147 ++++++---
security/selinux/include/avc.h | 6 +
security/selinux/include/security.h | 32 ++-
security/selinux/ss/avtab.c | 104 +++++-
security/selinux/ss/avtab.h | 33 ++-
security/selinux/ss/conditional.c | 32 ++-
security/selinux/ss/conditional.h | 6 +-
security/selinux/ss/policydb.c | 5 +
security/selinux/ss/services.c | 213 +++++++++++--
security/selinux/ss/services.h | 6 +
security/smack/smack.h | 66 ++++-
security/smack/smack_access.c | 6 +
security/smack/smack_lsm.c | 511 ++++++++++++++++++++++-------
security/smack/smackfs.c | 436 ++++++++++++++++++++-----
security/yama/Kconfig | 9 +-
security/yama/yama_lsm.c | 32 +--
76 files changed, 3588 insertions(+), 1406 deletions(-)
create mode 100644 certs/Kconfig
create mode 100644 certs/Makefile
rename {kernel => certs}/system_certificates.S (80%)
rename {kernel => certs}/system_keyring.c (68%)
create mode 100644 crypto/asymmetric_keys/x509_akid.asn1
create mode 100644 scripts/extract-cert.c
delete mode 100755 scripts/sign-file
create mode 100755 scripts/sign-file.c
next reply other threads:[~2015-09-01 0:00 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-01 0:00 James Morris [this message]
2015-09-01 4:30 ` [GIT PULL] Security subsystem changes for 4.3 Stephen Rothwell
2015-09-02 0:05 ` James Morris
2015-09-08 20:32 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LRH.2.20.1509010942230.19234@namei.org \
--to=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.