[GIT PULL] integrity: subsystem updates for v6.10

* [GIT PULL] integrity: subsystem updates for v6.10
@ 2024-05-15 11:55 Mimi Zohar
  2024-05-15 16:35 ` pr-tracker-bot
  0 siblings, 1 reply; 2+ messages in thread
From: Mimi Zohar @ 2024-05-15 11:55 UTC (permalink / raw)
  To: Linus Torvalds; +Cc: linux-integrity, linux-kernel, Roberto Sassu

Hi Linus,

Two IMA changes, one EVM change, a use after free bug fix, and a code cleanup to
address "-Wflex-array-member-not-at-end" warnings:

- The existing IMA {ascii, binary}_runtime_measurements lists include a hard
coded SHA1 hash.  To address this limitation, define per TPM enabled hash
algorithm {ascii, binary}_runtime_measurements lists.

- Close an IMA integrity init_module syscall measurement gap by defining a new
critical-data record.

- Enable (partial) EVM support on stacked filesystems (overlayfs).  Only EVM
portable & immutable file signatures are copied up, since they do not contain
filesystem specific metadata.

thanks,

Mimi

The following changes since commit fec50db7033ea478773b159e0e2efb135270e3b7:

  Linux 6.9-rc3 (2024-04-07 13:22:46 -0700)

are available in the Git repository at:

  ssh://gitolite@ra.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v6.10

for you to fetch changes up to 9fa8e76250082a45d0d3dad525419ab98bd01658:

  ima: add crypto agility support for template-hash algorithm (2024-04-12 09:59:04 -0400)

----------------------------------------------------------------
integrity-v6.10

----------------------------------------------------------------
Enrico Bravi (1):
      ima: add crypto agility support for template-hash algorithm

Gustavo A. R. Silva (1):
      integrity: Avoid -Wflex-array-member-not-at-end warnings

Mimi Zohar (1):
      ima: define an init_module critical data record

Stefan Berger (11):
      ima: Fix use-after-free on a dentry's dname.name
      ima: Rename backing_inode to real_inode
      security: allow finer granularity in permitting copy-up of security xattrs
      evm: Implement per signature type decision in security_inode_copy_up_xattr
      evm: Use the metadata inode to calculate metadata hash
      ima: Move file-change detection variables into new structure
      evm: Store and detect metadata inode attributes changes
      ima: re-evaluate file integrity on file metadata change
      evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509
      fs: Rename SB_I_EVM_UNSUPPORTED to SB_I_EVM_HMAC_UNSUPPORTED
      evm: Rename is_unsupported_fs to is_unsupported_hmac_fs

 fs/overlayfs/copy_up.c                    |   2 +-
 fs/overlayfs/super.c                      |   2 +-
 include/linux/evm.h                       |   8 ++
 include/linux/fs.h                        |   2 +-
 include/linux/integrity.h                 |  34 ++++++++
 include/linux/lsm_hook_defs.h             |   3 +-
 include/linux/security.h                  |   4 +-
 security/integrity/evm/evm.h              |   8 +-
 security/integrity/evm/evm_crypto.c       |  25 ++++--
 security/integrity/evm/evm_main.c         |  92 +++++++++++++++-----
 security/integrity/ima/ima.h              |  12 ++-
 security/integrity/ima/ima_api.c          |  32 ++++---
 security/integrity/ima/ima_appraise.c     |   4 +-
 security/integrity/ima/ima_crypto.c       |   7 +-
 security/integrity/ima/ima_fs.c           | 134 +++++++++++++++++++++++++++---
 security/integrity/ima/ima_iint.c         |   2 +-
 security/integrity/ima/ima_init.c         |   6 +-
 security/integrity/ima/ima_kexec.c        |   1 +
 security/integrity/ima/ima_main.c         |  44 +++++++---
 security/integrity/ima/ima_template_lib.c |  27 ++++--
 security/integrity/integrity.h            |  12 ++-
 security/security.c                       |   5 +-
 security/selinux/hooks.c                  |   2 +-
 security/smack/smack_lsm.c                |   2 +-
 24 files changed, 374 insertions(+), 96 deletions(-)

^ permalink raw reply	[flat|nested] 2+ messages in thread