[GIT PULL] lsm/lsm-pr-20240312

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [GIT PULL] lsm/lsm-pr-20240312
@ 2024-03-12 23:20 Paul Moore
  2024-03-13  3:14 ` pr-tracker-bot
  0 siblings, 1 reply; 2+ messages in thread
From: Paul Moore @ 2024-03-12 23:20 UTC (permalink / raw)
  To: Linus Torvalds; +Cc: linux-security-module, linux-kernel

Hi Linus,

There are a number of LSM patches for the Linux v6.9 merge window,
the highlights are shown below.  As a heads-up, someone just flagged
a problem with the LSM syscalls earlier today, so expect another pull
request within a few days once we've had a chance to develop/review/test
the fix.

- Promote IMA/EVM to a proper LSM

This is the bulk of the diffstat in the pull request, and the source
of all the changes in the VFS code.  Prior to the start of the LSM
stacking work it was important that IMA/EVM were separate from the
rest of the LSMs, complete with their own hooks, infrastructure, etc.
as it was the only way to enable IMA/EVM at the same time as a LSM.
However, now that the bulk of the LSM infrastructure supports multiple
simultaneous LSMs, we can simplify things greatly by bringing IMA/EVM
into the LSM infrastructure as proper LSMs.  This is something I've
wanted to see happen for quite some time and Roberto was kind enough
to put in the work to make it happen.

- Use the LSM hook default values to simplify the call_int_hook() macro

Previously the call_int_hook() macro required callers to supply a
default return value, despite a default value being specified when
the LSM hook was defined.  This pull request simplifies the macro
by using the defined default return value which makes life easier
for callers and should also reduce the number of return value bugs
in the future (we've had a few pop up recently, hence this work).

- Use the KMEM_CACHE() macro instead of kmem_cache_create()

The guidance appears to be to use the KMEM_CACHE() macro when possible
and there is no reason why we can't use the macro, so let's use it.

- Fix a number of comment typos in the LSM hook comment blocks

Not much to say here, we fixed some questionable grammar decisions in
the LSM hook comment blocks.

Please merge when you have the chance,
-Paul

--
The following changes since commit 54be6c6c5ae8e0d93a6c4641cb7528eb0b6ba478:

  Linux 6.8-rc3 (2024-02-04 12:20:36 +0000)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git
    tags/lsm-pr-20240312

for you to fetch changes up to edc6670233a333ccfd1ec0548f068bd121d209c8:

  cred: Use KMEM_CACHE() instead of kmem_cache_create()
    (2024-02-23 17:33:31 -0500)

----------------------------------------------------------------
lsm/stable-6.9 PR 20240312

----------------------------------------------------------------
Kunwu Chan (1):
      cred: Use KMEM_CACHE() instead of kmem_cache_create()

Ondrej Mosnacek (1):
      lsm: use default hook return value in call_int_hook()

Pairman Guo (1):
      lsm: fix typos in security/security.c comment headers

Roberto Sassu (25):
      ima: Align ima_inode_post_setattr() definition with LSM infrastructure
      ima: Align ima_file_mprotect() definition with LSM infrastructure
      ima: Align ima_inode_setxattr() definition with LSM infrastructure
      ima: Align ima_inode_removexattr() definition with LSM infrastructure
      ima: Align ima_post_read_file() definition with LSM infrastructure
      evm: Align evm_inode_post_setattr() definition with LSM infrastructure
      evm: Align evm_inode_setxattr() definition with LSM infrastructure
      evm: Align evm_inode_post_setxattr() definition with LSM infrastructure
      security: Align inode_setattr hook definition with EVM
      security: Introduce inode_post_setattr hook
      security: Introduce inode_post_removexattr hook
      security: Introduce file_post_open hook
      security: Introduce file_release hook
      security: Introduce path_post_mknod hook
      security: Introduce inode_post_create_tmpfile hook
      security: Introduce inode_post_set_acl hook
      security: Introduce inode_post_remove_acl hook
      security: Introduce key_post_create_or_update hook
      integrity: Move integrity_kernel_module_request() to IMA
      ima: Move to LSM infrastructure
      ima: Move IMA-Appraisal to LSM infrastructure
      evm: Move to LSM infrastructure
      evm: Make it independent from 'integrity' LSM
      ima: Make it independent from 'integrity' LSM
      integrity: Remove LSM

 fs/attr.c                                          |   5 +-
 fs/file_table.c                                    |   3 +-
 fs/namei.c                                         |  12 +-
 fs/nfsd/vfs.c                                      |   3 +-
 fs/open.c                                          |   1 -
 fs/posix_acl.c                                     |   5 +-
 fs/xattr.c                                         |   9 +-
 include/linux/evm.h                                | 117 +---
 include/linux/ima.h                                | 142 ----
 include/linux/integrity.h                          |  27 -
 include/linux/lsm_hook_defs.h                      |  20 +-
 include/linux/security.h                           |  59 ++
 include/uapi/linux/lsm.h                           |   2 +
 kernel/cred.c                                      |   4 +-
 security/integrity/Makefile                        |   1 +
 security/integrity/digsig_asymmetric.c             |  23 -
 security/integrity/evm/Kconfig                     |   1 +
 security/integrity/evm/evm.h                       |  19 +
 security/integrity/evm/evm_crypto.c                |   4 +-
 security/integrity/evm/evm_main.c                  | 195 +++++-
 security/integrity/iint.c                          | 197 +-----
 security/integrity/ima/Kconfig                     |   1 +
 security/integrity/ima/Makefile                    |   2 +-
 security/integrity/ima/ima.h                       | 148 +++-
 security/integrity/ima/ima_api.c                   |  23 +-
 security/integrity/ima/ima_appraise.c              |  66 +-
 security/integrity/ima/ima_iint.c                  | 142 ++++
 security/integrity/ima/ima_init.c                  |   2 +-
 security/integrity/ima/ima_main.c                  | 148 +++-
 security/integrity/ima/ima_policy.c                |   2 +-
 security/integrity/integrity.h                     |  80 +--
 security/keys/key.c                                |  10 +-
 security/security.c                                | 775 ++++++++++-----------
 security/selinux/hooks.c                           |   3 +-
 security/smack/smack_lsm.c                         |   4 +-
 .../testing/selftests/lsm/lsm_list_modules_test.c  |   6 +
 36 files changed, 1123 insertions(+), 1138 deletions(-)
 create mode 100644 security/integrity/ima/ima_iint.c

--
paul-moore.com

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [GIT PULL] lsm/lsm-pr-20240312
  2024-03-12 23:20 [GIT PULL] lsm/lsm-pr-20240312 Paul Moore
@ 2024-03-13  3:14 ` pr-tracker-bot
  0 siblings, 0 replies; 2+ messages in thread
From: pr-tracker-bot @ 2024-03-13  3:14 UTC (permalink / raw)
  To: Paul Moore; +Cc: Linus Torvalds, linux-security-module, linux-kernel

The pull request you sent on Tue, 12 Mar 2024 19:20:08 -0400:

> https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git tags/lsm-pr-20240312

has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/cc4a875cf3b3bc07d523ea85b8ca45da1ca4f4e6

Thank you!

-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/prtracker.html

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2024-03-13  3:14 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-12 23:20 [GIT PULL] lsm/lsm-pr-20240312 Paul Moore
2024-03-13  3:14 ` pr-tracker-bot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox