[GIT PULL] integrity: subsystem updates for v6.10

public inbox for linux-integrity@vger.kernel.org
 help / color / mirror / Atom feed

From: Mimi Zohar <zohar@linux.ibm.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-integrity <linux-integrity@vger.kernel.org>,
	linux-kernel <linux-kernel@vger.kernel.org>,
	Roberto Sassu <roberto.sassu@huaweicloud.com>
Subject: [GIT PULL] integrity: subsystem updates for v6.10
Date: Wed, 15 May 2024 07:55:47 -0400	[thread overview]
Message-ID: <1887e28b6bcbe1eca72028432c9e0fee7a72fbfe.camel@linux.ibm.com> (raw)

Hi Linus,

Two IMA changes, one EVM change, a use after free bug fix, and a code cleanup to
address "-Wflex-array-member-not-at-end" warnings:

- The existing IMA {ascii, binary}_runtime_measurements lists include a hard
coded SHA1 hash.  To address this limitation, define per TPM enabled hash
algorithm {ascii, binary}_runtime_measurements lists.

- Close an IMA integrity init_module syscall measurement gap by defining a new
critical-data record.

- Enable (partial) EVM support on stacked filesystems (overlayfs).  Only EVM
portable & immutable file signatures are copied up, since they do not contain
filesystem specific metadata.

thanks,

Mimi


The following changes since commit fec50db7033ea478773b159e0e2efb135270e3b7:

  Linux 6.9-rc3 (2024-04-07 13:22:46 -0700)

are available in the Git repository at:

  ssh://gitolite@ra.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v6.10

for you to fetch changes up to 9fa8e76250082a45d0d3dad525419ab98bd01658:

  ima: add crypto agility support for template-hash algorithm (2024-04-12 09:59:04 -0400)

----------------------------------------------------------------
integrity-v6.10

----------------------------------------------------------------
Enrico Bravi (1):
      ima: add crypto agility support for template-hash algorithm

Gustavo A. R. Silva (1):
      integrity: Avoid -Wflex-array-member-not-at-end warnings

Mimi Zohar (1):
      ima: define an init_module critical data record

Stefan Berger (11):
      ima: Fix use-after-free on a dentry's dname.name
      ima: Rename backing_inode to real_inode
      security: allow finer granularity in permitting copy-up of security xattrs
      evm: Implement per signature type decision in security_inode_copy_up_xattr
      evm: Use the metadata inode to calculate metadata hash
      ima: Move file-change detection variables into new structure
      evm: Store and detect metadata inode attributes changes
      ima: re-evaluate file integrity on file metadata change
      evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509
      fs: Rename SB_I_EVM_UNSUPPORTED to SB_I_EVM_HMAC_UNSUPPORTED
      evm: Rename is_unsupported_fs to is_unsupported_hmac_fs

 fs/overlayfs/copy_up.c                    |   2 +-
 fs/overlayfs/super.c                      |   2 +-
 include/linux/evm.h                       |   8 ++
 include/linux/fs.h                        |   2 +-
 include/linux/integrity.h                 |  34 ++++++++
 include/linux/lsm_hook_defs.h             |   3 +-
 include/linux/security.h                  |   4 +-
 security/integrity/evm/evm.h              |   8 +-
 security/integrity/evm/evm_crypto.c       |  25 ++++--
 security/integrity/evm/evm_main.c         |  92 +++++++++++++++-----
 security/integrity/ima/ima.h              |  12 ++-
 security/integrity/ima/ima_api.c          |  32 ++++---
 security/integrity/ima/ima_appraise.c     |   4 +-
 security/integrity/ima/ima_crypto.c       |   7 +-
 security/integrity/ima/ima_fs.c           | 134 +++++++++++++++++++++++++++---
 security/integrity/ima/ima_iint.c         |   2 +-
 security/integrity/ima/ima_init.c         |   6 +-
 security/integrity/ima/ima_kexec.c        |   1 +
 security/integrity/ima/ima_main.c         |  44 +++++++---
 security/integrity/ima/ima_template_lib.c |  27 ++++--
 security/integrity/integrity.h            |  12 ++-
 security/security.c                       |   5 +-
 security/selinux/hooks.c                  |   2 +-
 security/smack/smack_lsm.c                |   2 +-
 24 files changed, 374 insertions(+), 96 deletions(-)

next             reply	other threads:[~2024-05-15 11:56 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-05-15 11:55 Mimi Zohar [this message]
2024-05-15 16:35 ` [GIT PULL] integrity: subsystem updates for v6.10 pr-tracker-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1887e28b6bcbe1eca72028432c9e0fee7a72fbfe.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=roberto.sassu@huaweicloud.com \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox