[GIT PULL] integrity subsystem updates for v5.12

From: Mimi Zohar <zohar@linux.ibm.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-integrity <linux-integrity@vger.kernel.org>,
	linux-kernel <linux-kernel@vger.kernel.org>
Subject: [GIT PULL] integrity subsystem updates for v5.12
Date: Tue, 16 Feb 2021 08:52:01 -0500	[thread overview]
Message-ID: <d42636f6983ac73e8c36f727225b213688780d14.camel@linux.ibm.com> (raw)

Hi Linus,

New is IMA support for measuring kernel critical data, as per usual
based on policy.   The first example measures the in memory SELinux
policy.  The second example measures the kernel version.

In addition are four bug fixes to address memory leaks and a missing
"static"
function declaration.

[FYI: Stephen is carrying a manual merge of the pidfd tree with the
integrity tree.]

thanks,

Mimi

The following changes since commit 7c53f6b671f4aba70ff15e1b05148b10d58c2837:

  Linux 5.11-rc3 (2021-01-10 14:34:50 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v5.12

for you to fetch changes up to f6692213b5045dc461ce0858fb18cf46f328c202:

  integrity: Make function integrity_add_key() static (2021-02-12 11:11:59 -0500)

----------------------------------------------------------------
integrity-v5.12

----------------------------------------------------------------
Dinghao Liu (1):
      evm: Fix memleak in init_desc

Lakshmi Ramasubramanian (4):
      IMA: define a builtin critical data measurement policy
      selinux: include a consumer of the new IMA critical data hook
      ima: Free IMA measurement buffer on error
      ima: Free IMA measurement buffer after kexec syscall

Mimi Zohar (2):
      Merge branch 'measure-critical-data' into next-integrity
      Merge branch 'ima-kexec-fixes' into next-integrity

Raphael Gianotti (1):
      IMA: Measure kernel version in early boot

Tushar Sugandhi (6):
      IMA: generalize keyring specific measurement constructs
      IMA: add support to measure buffer data hash
      IMA: define a hook to measure kernel integrity critical data
      IMA: add policy rule to measure critical data
      IMA: limit critical data measurement based on a label
      IMA: extend critical data hook to limit the measurement based on a label

Wei Yongjun (1):
      integrity: Make function integrity_add_key() static

 Documentation/ABI/testing/ima_policy            |   5 +-
 Documentation/admin-guide/kernel-parameters.txt |   5 +-
 include/linux/ima.h                             |  10 +++
 include/linux/kexec.h                           |   5 ++
 kernel/kexec_file.c                             |   5 ++
 security/integrity/digsig.c                     |   4 +-
 security/integrity/evm/evm_crypto.c             |   7 +-
 security/integrity/ima/ima.h                    |   8 +-
 security/integrity/ima/ima_api.c                |   8 +-
 security/integrity/ima/ima_appraise.c           |   2 +-
 security/integrity/ima/ima_asymmetric_keys.c    |   2 +-
 security/integrity/ima/ima_init.c               |   5 ++
 security/integrity/ima/ima_kexec.c              |   3 +
 security/integrity/ima/ima_main.c               |  59 ++++++++++--
 security/integrity/ima/ima_policy.c             | 115 +++++++++++++++++++-----
 security/integrity/ima/ima_queue_keys.c         |   3 +-
 security/selinux/Makefile                       |   2 +
 security/selinux/ima.c                          |  44 +++++++++
 security/selinux/include/ima.h                  |  24 +++++
 security/selinux/include/security.h             |   3 +-
 security/selinux/ss/services.c                  |  64 +++++++++++--
 21 files changed, 329 insertions(+), 54 deletions(-)
 create mode 100644 security/selinux/ima.c
 create mode 100644 security/selinux/include/ima.h