From: Mimi Zohar <zohar@linux.ibm.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-integrity <linux-integrity@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
Roberto Sassu <roberto.sassu@huaweicloud.com>
Subject: [GIT PULL] integrity: subsystem updates for v6.19
Date: Tue, 02 Dec 2025 16:55:12 -0500 [thread overview]
Message-ID: <58c716aa7e18d107590f98705c29e5a0434cbcbf.camel@linux.ibm.com> (raw)
Hi Linus,
There are two bug fixes: defer credentials checking from the bprm_check_security
hook to the bprm_creds_from_file security hook, properly ignore IMA policy rules
based on undefined SELinux labels.
And two IMA policy rule extensions: extend IMA to limit including file hashes in
the audit logs (dont_audit action), define a new filesystem subtype policy
option (fs_subtype).
And extend IMA to support commit b1ae6dc41eaa ("module: add in-kernel support
for decompressing") by deferring the IMA signature verification in
kernel_read_file() to after the kernel module is decompressed.
thanks,
Mimi
The following changes since commit 3a8660878839faadb4f1a6dd72c3179c1df56787:
Linux 6.18-rc1 (2025-10-12 13:42:36 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git/ tags/integrity-v6.19
for you to fetch changes up to 738c9738e690f5cea24a3ad6fd2d9a323cf614f6:
ima: Handle error code returned by ima_filter_rule_match() (2025-11-21 07:24:01 -0500)
----------------------------------------------------------------
integrity-v6.19
----------------------------------------------------------------
Coiby Xu (1):
ima: Access decompressed kernel module to verify appended signature
Jann Horn (2):
ima: add dont_audit action to suppress audit actions
ima: add fs_subtype condition for distinguishing FUSE instances
Roberto Sassu (1):
ima: Attach CREDS_CHECK IMA hook to bprm_creds_from_file LSM hook
Zhao Yipeng (1):
ima: Handle error code returned by ima_filter_rule_match()
Documentation/ABI/testing/ima_policy | 3 +-
include/linux/kernel_read_file.h | 1 +
kernel/module/main.c | 17 ++++++++--
security/integrity/ima/ima_main.c | 62 +++++++++++++++++++++++++++---------
security/integrity/ima/ima_policy.c | 62 ++++++++++++++++++++++++++++++++----
security/ipe/hooks.c | 1 +
security/selinux/hooks.c | 5 +--
7 files changed, 123 insertions(+), 28 deletions(-)
next reply other threads:[~2025-12-02 21:55 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-02 21:55 Mimi Zohar [this message]
2025-12-03 19:32 ` [GIT PULL] integrity: subsystem updates for v6.19 pr-tracker-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=58c716aa7e18d107590f98705c29e5a0434cbcbf.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=roberto.sassu@huaweicloud.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).