[GIT PULL] integrity subsystem updates for v5.3

Mimi Zohar zohar at linux.ibm.com
Mon Jul 8 12:58:58 UTC 2019


Hi Linus,

Included in this pull request are bug fixes, code clean up, and new
features.  Listed below are the main changes.

- IMA policy rules can be defined in terms of LSM labels, making the
IMA policy dependent on LSM policy label changes, in particular LSM
label deletions.  The new environment, in which IMA-appraisal is being
used, frequently updates the LSM policy and permits LSM label
deletions.

- Prevent an mmap'ed shared file opened for write from also being
mmap'ed execute.  In the long term, making this and other similar
changes at the VFS layer would be preferable.

- The IMA per policy rule template format support is needed for a
couple of new/proposed features (eg. kexec boot command line
measurement, appended signatures, and VFS provided file hashes).

- Other than the "boot-aggregate" record in the IMA measuremeent list,
all other measurements are of file data.  Measuring and storing the
kexec boot command line in the IMA measurement list is the first
buffer based measurement included in the measurement list.

(Stephen is carrying a patch to address a merge conflict with David's
"Keys: Set 4 - Key ACLs for 5.3").

thanks,

Mimi


The following changes since commit 8cdc23a3d9ec0944000ad43bad588e36afdc38cd:

  ima: show rules with IMA_INMASK correctly (2019-05-29 23:18:25 -0400)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity

for you to fetch changes up to 650b29dbdf2caf7db27cdc8bfa8fc009b28a6ce3:

  integrity: Introduce struct evm_xattr (2019-06-30 17:54:41 -0400)

----------------------------------------------------------------
Geert Uytterhoeven (1):
      integrity: Fix __integrity_init_keyring() section mismatch

Janne Karhunen (2):
      LSM: switch to blocking policy update notifiers
      ima: use the lsm policy update notifier

Matthew Garrett (1):
      IMA: support for per policy rule template formats

Mimi Zohar (2):
      x86/ima: check EFI SetupMode too
      ima: prevent a file already mmap'ed write to be mmap'ed execute

Nayna Jain (1):
      x86/ima: fix the Kconfig dependency for IMA_ARCH_POLICY

Prakhar Srivastava (3):
      IMA: Define a new hook to measure the kexec boot command line arguments
      IMA: Define a new template field buf
      KEXEC: Call ima_kexec_cmdline to measure the boot command line args

Thiago Jung Bauermann (3):
      ima: Use designated initializers for struct ima_event_data
      ima: Update MAX_TEMPLATE_NAME_LEN to fit largest reasonable definition
      integrity: Introduce struct evm_xattr

YueHaibing (1):
      ima: Make arch_policy_entry static

 Documentation/ABI/testing/ima_policy      |   6 +-
 Documentation/security/IMA-templates.rst  |   7 +-
 arch/x86/kernel/ima_arch.c                |  12 ++-
 drivers/infiniband/core/device.c          |   6 +-
 include/linux/ima.h                       |   2 +
 include/linux/security.h                  |  12 +--
 kernel/kexec_file.c                       |   9 +-
 security/integrity/digsig.c               |   5 +-
 security/integrity/evm/evm_main.c         |   8 +-
 security/integrity/ima/Kconfig            |   3 +-
 security/integrity/ima/ima.h              |  21 +++-
 security/integrity/ima/ima_api.c          |  38 +++++--
 security/integrity/ima/ima_appraise.c     |   9 +-
 security/integrity/ima/ima_init.c         |   6 +-
 security/integrity/ima/ima_main.c         | 123 ++++++++++++++++++++--
 security/integrity/ima/ima_policy.c       | 163 +++++++++++++++++++++++++-----
 security/integrity/ima/ima_template.c     |  23 +++--
 security/integrity/ima/ima_template_lib.c |  21 ++++
 security/integrity/ima/ima_template_lib.h |   4 +
 security/integrity/integrity.h            |   6 ++
 security/security.c                       |  23 +++--
 security/selinux/hooks.c                  |   2 +-
 security/selinux/selinuxfs.c              |   2 +-
 23 files changed, 413 insertions(+), 98 deletions(-)



More information about the Linux-security-module-archive mailing list