From: Mimi Zohar <zohar@linux.ibm.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-integrity <linux-integrity@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: [GIT PULL] integrity subsystem updates for v5.14
Date: Mon, 28 Jun 2021 14:10:52 -0400 [thread overview]
Message-ID: <12f950a86631e83e9af52faa843cd335ac867af8.camel@linux.ibm.com> (raw)
Hi Linus,
The large majority of the changes are EVM portable & immutable
signature related: removing a dependency on loading an HMAC key, safely
allowing file metadata included in the EVM portable & immutable
signatures to be modified, allowing EVM signatures to fulfill IMA file
signature policy requirements, including the EVM file metadata
signature in lieu of an IMA file data signature in the measurement
list, and adding dynamic debugging of EVM file metadata.
In addition, in order to detect critical data or file change
reversions, duplicate measurement records are permitted in the IMA
measurement list. The remaining patches address compiler, sparse, and
doc warnings.
thanks,
Mimi
The following changes since commit d07f6ca923ea0927a1024dfccafc5b53b61cfecc:
Linux 5.13-rc2 (2021-05-16 15:27:44 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v5.14
for you to fetch changes up to 907a399de7b0566236c480d0c01ff52220532fb1:
evm: Check xattr size discrepancy between kernel and user (2021-06-21 08:34:21 -0400)
----------------------------------------------------------------
integrity-v5.14
----------------------------------------------------------------
Gustavo A. R. Silva (1):
ima: Fix fall-through warning for Clang
Lakshmi Ramasubramanian (1):
ima: Fix warning: no previous prototype for function 'ima_add_kexec_buffer'
Mimi Zohar (5):
evm: fix writing <securityfs>/evm overflow
Merge branch 'misc-evm-v7' into next-integrity
Merge branch 'verify-evm-portable-sig-v2' into next-integrity
ima: differentiate between EVM failures in the audit log
evm: output EVM digest calculation info
Roberto Sassu (25):
evm: Execute evm_inode_init_security() only when an HMAC key is loaded
evm: Load EVM key in ima_load_x509() to avoid appraisal
evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded
evm: Introduce evm_revalidate_status()
evm: Introduce evm_hmac_disabled() to safely ignore verification errors
evm: Allow xattr/attr operations for portable signatures
evm: Pass user namespace to set/remove xattr hooks
evm: Allow setxattr() and setattr() for unmodified metadata
evm: Deprecate EVM_ALLOW_METADATA_WRITES
ima: Allow imasig requirement to be satisfied by EVM portable signatures
ima: Introduce template field evmsig and write to field sig as fallback
ima: Don't remove security.ima if file must not be appraised
ima: Add ima_show_template_uint() template library function
ima: Define new template fields iuid and igid
ima: Define new template field imode
evm: Verify portable signatures against all protected xattrs
ima: Define new template fields xattrnames, xattrlengths and xattrvalues
ima: Define new template evm-sig
evm: Don't return an error in evm_write_xattrs() if audit is not enabled
doc: Fix warning in Documentation/security/IMA-templates.rst
ima: Set correct casting types
ima/evm: Fix type mismatch
ima: Include header defining ima_post_key_create_or_update()
ima: Pass NULL instead of 0 to ima_get_action() in ima_file_mprotect()
evm: Check xattr size discrepancy between kernel and user
Tushar Sugandhi (1):
IMA: support for duplicate measurement records
Documentation/ABI/testing/evm | 36 ++-
Documentation/security/IMA-templates.rst | 12 +-
include/linux/evm.h | 34 ++-
include/linux/integrity.h | 1 +
security/integrity/evm/evm.h | 1 +
security/integrity/evm/evm_crypto.c | 58 ++++-
security/integrity/evm/evm_main.c | 376 ++++++++++++++++++++++++---
security/integrity/evm/evm_secfs.c | 31 ++-
security/integrity/iint.c | 4 +-
security/integrity/ima/Kconfig | 7 +
security/integrity/ima/ima_appraise.c | 44 +++-
security/integrity/ima/ima_asymmetric_keys.c | 1 +
security/integrity/ima/ima_crypto.c | 4 +-
security/integrity/ima/ima_fs.c | 6 +-
security/integrity/ima/ima_init.c | 4 +
security/integrity/ima/ima_kexec.c | 1 +
security/integrity/ima/ima_main.c | 2 +-
security/integrity/ima/ima_queue.c | 5 +-
security/integrity/ima/ima_template.c | 30 ++-
security/integrity/ima/ima_template_lib.c | 211 ++++++++++++++-
security/integrity/ima/ima_template_lib.h | 16 ++
security/security.c | 4 +-
22 files changed, 804 insertions(+), 84 deletions(-)
next reply other threads:[~2021-06-28 18:11 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-28 18:10 Mimi Zohar [this message]
2021-06-28 23:36 ` [GIT PULL] integrity subsystem updates for v5.14 pr-tracker-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=12f950a86631e83e9af52faa843cd335ac867af8.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).