[GIT PULL] integrity subsystem updates for v5.14

From: Mimi Zohar <zohar@linux.ibm.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-integrity <linux-integrity@vger.kernel.org>,
	linux-kernel <linux-kernel@vger.kernel.org>
Subject: [GIT PULL] integrity subsystem updates for v5.14
Date: Mon, 28 Jun 2021 14:10:52 -0400	[thread overview]
Message-ID: <12f950a86631e83e9af52faa843cd335ac867af8.camel@linux.ibm.com> (raw)

Hi Linus,

The large majority of the changes are EVM portable & immutable
signature related: removing a dependency on loading an HMAC key, safely
allowing file metadata included in the EVM portable & immutable
signatures to be modified, allowing EVM signatures to fulfill IMA file
signature policy requirements, including the EVM file metadata
signature in lieu of an IMA file data signature in the measurement
list, and adding dynamic debugging of EVM file metadata.

In addition, in order to detect critical data or file change
reversions, duplicate measurement records are permitted in the IMA
measurement list.  The remaining patches address compiler, sparse, and
doc warnings.

thanks,

Mimi

The following changes since commit d07f6ca923ea0927a1024dfccafc5b53b61cfecc:

  Linux 5.13-rc2 (2021-05-16 15:27:44 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v5.14

for you to fetch changes up to 907a399de7b0566236c480d0c01ff52220532fb1:

  evm: Check xattr size discrepancy between kernel and user (2021-06-21 08:34:21 -0400)

----------------------------------------------------------------
integrity-v5.14

----------------------------------------------------------------
Gustavo A. R. Silva (1):
      ima: Fix fall-through warning for Clang

Lakshmi Ramasubramanian (1):
      ima: Fix warning: no previous prototype for function 'ima_add_kexec_buffer'

Mimi Zohar (5):
      evm: fix writing <securityfs>/evm overflow
      Merge branch 'misc-evm-v7' into next-integrity
      Merge branch 'verify-evm-portable-sig-v2' into next-integrity
      ima: differentiate between EVM failures in the audit log
      evm: output EVM digest calculation info

Roberto Sassu (25):
      evm: Execute evm_inode_init_security() only when an HMAC key is loaded
      evm: Load EVM key in ima_load_x509() to avoid appraisal
      evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded
      evm: Introduce evm_revalidate_status()
      evm: Introduce evm_hmac_disabled() to safely ignore verification errors
      evm: Allow xattr/attr operations for portable signatures
      evm: Pass user namespace to set/remove xattr hooks
      evm: Allow setxattr() and setattr() for unmodified metadata
      evm: Deprecate EVM_ALLOW_METADATA_WRITES
      ima: Allow imasig requirement to be satisfied by EVM portable signatures
      ima: Introduce template field evmsig and write to field sig as fallback
      ima: Don't remove security.ima if file must not be appraised
      ima: Add ima_show_template_uint() template library function
      ima: Define new template fields iuid and igid
      ima: Define new template field imode
      evm: Verify portable signatures against all protected xattrs
      ima: Define new template fields xattrnames, xattrlengths and xattrvalues
      ima: Define new template evm-sig
      evm: Don't return an error in evm_write_xattrs() if audit is not enabled
      doc: Fix warning in Documentation/security/IMA-templates.rst
      ima: Set correct casting types
      ima/evm: Fix type mismatch
      ima: Include header defining ima_post_key_create_or_update()
      ima: Pass NULL instead of 0 to ima_get_action() in ima_file_mprotect()
      evm: Check xattr size discrepancy between kernel and user

Tushar Sugandhi (1):
      IMA: support for duplicate measurement records

 Documentation/ABI/testing/evm                |  36 ++-
 Documentation/security/IMA-templates.rst     |  12 +-
 include/linux/evm.h                          |  34 ++-
 include/linux/integrity.h                    |   1 +
 security/integrity/evm/evm.h                 |   1 +
 security/integrity/evm/evm_crypto.c          |  58 ++++-
 security/integrity/evm/evm_main.c            | 376 ++++++++++++++++++++++++---
 security/integrity/evm/evm_secfs.c           |  31 ++-
 security/integrity/iint.c                    |   4 +-
 security/integrity/ima/Kconfig               |   7 +
 security/integrity/ima/ima_appraise.c        |  44 +++-
 security/integrity/ima/ima_asymmetric_keys.c |   1 +
 security/integrity/ima/ima_crypto.c          |   4 +-
 security/integrity/ima/ima_fs.c              |   6 +-
 security/integrity/ima/ima_init.c            |   4 +
 security/integrity/ima/ima_kexec.c           |   1 +
 security/integrity/ima/ima_main.c            |   2 +-
 security/integrity/ima/ima_queue.c           |   5 +-
 security/integrity/ima/ima_template.c        |  30 ++-
 security/integrity/ima/ima_template_lib.c    | 211 ++++++++++++++-
 security/integrity/ima/ima_template_lib.h    |  16 ++
 security/security.c                          |   4 +-
 22 files changed, 804 insertions(+), 84 deletions(-)