Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753333AbbIAAAP (ORCPT ); Mon, 31 Aug 2015 20:00:15 -0400 Received: from tundra.namei.org ([65.99.196.166]:38633 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752391AbbIAAAL (ORCPT ); Mon, 31 Aug 2015 20:00:11 -0400 Date: Tue, 1 Sep 2015 10:00:09 +1000 (AEST) From: James Morris To: Linus Torvalds cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [GIT PULL] Security subsystem changes for 4.3 Message-ID: User-Agent: Alpine 2.20 (LRH 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 10280 Lines: 216 Highlights: o PKCS#7 support added to support signed kexec, also utilized for module signing. See comments in 3f1e1bea. ** NOTE: this requires linking against the OpenSSL library, which must be installed, e.g. the openssl-devel on Fedora ** o Smack: add IPv6 host labeling; ignore labels on kernel threads; support smack labeling mounts which use binary mount data o SELinux: add ioctl whitelisting (see http://kernsec.org/files/lss2015/vanderstoep.pdf); fix mprotect PROT_EXEC regression caused by mm change o Seccomp: add ptrace options for suspend/resume Please pull. --- The following changes since commit e5aeced6bcec5a110e6dfcb78acc203dbe895b59: Merge tag 'spi-v4.3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi (2015-08-31 15:55:49 -0700) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next Casey Schaufler (3): Smack: IPv6 host labeling Smack: Three symbols that should be static Smack - Fix build error with bringup unconfigured David Howells (28): selinux: Create a common helper to determine an inode label [ver #3] ASN.1: Fix handling of CHOICE in ASN.1 compiler ASN.1: Fix actions on CHOICE elements with IMPLICIT tags ASN.1: Fix non-match detection failure on data overrun ASN.1: Handle 'ANY OPTIONAL' in grammar ASN.1: Add an ASN.1 compiler option to dump the element tree ASN.1: Copy string names to tokens in ASN.1 compiler X.509: Extract both parts of the AuthorityKeyIdentifier X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier PKCS#7: Allow detached data to be supplied for signature checking purposes MODSIGN: Provide a utility to append a PKCS#7 signature to a module MODSIGN: Use PKCS#7 messages as module signatures system_keyring.c doesn't need to #include module-internal.h MODSIGN: Extract the blob PKCS#7 signature verifier from module signing MAINTAINERS: The keyrings mailing list has moved PKCS#7: Check content type and versions X.509: Change recorded SKID & AKID to not include Subject or Issuer PKCS#7: Support CMS messages also [RFC5652] sign-file: Generate CMS message as signature instead of PKCS#7 PKCS#7: Improve and export the X.509 ASN.1 time object decoder KEYS: Add a name for PKEY_ID_PKCS7 PKCS#7: Appropriately restrict authenticated attributes and content type sign-file: Document dependency on OpenSSL devel libraries PKCS#7: Add MODULE_LICENSE() to test module sign-file: Fix warning about BIO_reset() return value Move certificate handling to its own directory Documentation/Changes: Now need OpenSSL devel packages for module signing PKCS#7: Add OIDs for sha224, sha284 and sha512 hash algos and use them David Woodhouse (11): modsign: Abort modules_install when signing fails modsign: Allow password to be specified for signing key modsign: Allow signing key to be PKCS#11 modsign: Allow external signing key to be specified modsign: Extract signing cert from CONFIG_MODULE_SIG_KEY if needed modsign: Use single PEM file for autogenerated key modsign: Add explicit CONFIG_SYSTEM_TRUSTED_KEYS option extract-cert: Cope with multiple X.509 certificates in a single file modsign: Use extract-cert to process CONFIG_SYSTEM_TRUSTED_KEYS modsign: Use if_changed rule for extracting cert from module signing key modsign: Handle signing key in source tree James Morris (7): Merge tag 'seccomp-next' of git://git.kernel.org/.../kees/linux into next Merge tag 'asn1-fixes-20150805' of git://git.kernel.org/.../dhowells/linux-fs into next Merge branch 'smack-for-4.3' of https://github.com/cschaufler/smack-next into next Merge tag 'modsign-pkcs7-20150812-3' of git://git.kernel.org/.../dhowells/linux-fs into next Merge branch 'smack-for-4.3' of https://github.com/cschaufler/smack-next into next Merge branch 'next' of git://git.infradead.org/users/pcmoore/selinux into next Merge tag 'modsign-pkcs7-20150814' of git://git.kernel.org/.../dhowells/linux-fs into ra-next Jeff Vander Stoep (2): security: add ioctl specific auditing to lsm_audit selinux: extended permissions for ioctls Kees Cook (2): seccomp: swap hard-coded zeros to defined name Yama: remove needless CONFIG_SECURITY_YAMA_STACKED Laurent Bigonville (1): selinux: explicitly declare the role "base_r" Luis R. Rodriguez (1): sign-file: Add option to only create signature file Paul Gortmaker (1): scripts: add extract-cert and sign-file to .gitignore Pranith Kumar (1): seccomp: Replace smp_read_barrier_depends() with lockless_dereference() Roman Kubiak (1): Kernel threads excluded from smack checks Stephen Smalley (2): selinux: initialize sock security class to default value selinux: Augment BUG_ON assertion for secclass_map. Tycho Andersen (1): seccomp: add ptrace options for suspend/resume Vivek Trivedi (1): smack: allow mount opts setting over filesystems with binary mount data Waiman Long (1): selinux: reduce locking overhead in inode_free_security() kbuild test robot (1): sysfs: fix simple_return.cocci warnings .gitignore | 1 + Documentation/Changes | 17 +- Documentation/kbuild/kbuild.txt | 5 + Documentation/module-signing.txt | 56 +++- Documentation/security/Smack.txt | 27 ++- Documentation/security/Yama.txt | 10 +- MAINTAINERS | 21 +- Makefile | 13 +- arch/mips/configs/pistachio_defconfig | 1 - arch/x86/kernel/kexec-bzimage64.c | 4 +- certs/Kconfig | 42 +++ certs/Makefile | 94 ++++++ {kernel => certs}/system_certificates.S | 5 +- {kernel => certs}/system_keyring.c | 53 +++- crypto/Kconfig | 1 + crypto/asymmetric_keys/Makefile | 8 +- crypto/asymmetric_keys/asymmetric_type.c | 11 + crypto/asymmetric_keys/mscode_parser.c | 9 + crypto/asymmetric_keys/pkcs7.asn1 | 22 +- crypto/asymmetric_keys/pkcs7_key_type.c | 17 +- crypto/asymmetric_keys/pkcs7_parser.c | 277 +++++++++++++++- crypto/asymmetric_keys/pkcs7_parser.h | 20 +- crypto/asymmetric_keys/pkcs7_trust.c | 10 +- crypto/asymmetric_keys/pkcs7_verify.c | 145 +++++++- crypto/asymmetric_keys/public_key.c | 1 + crypto/asymmetric_keys/verify_pefile.c | 7 +- crypto/asymmetric_keys/x509_akid.asn1 | 35 ++ crypto/asymmetric_keys/x509_cert_parser.c | 231 +++++++++----- crypto/asymmetric_keys/x509_parser.h | 12 +- crypto/asymmetric_keys/x509_public_key.c | 95 ++++-- include/crypto/pkcs7.h | 13 +- include/crypto/public_key.h | 18 +- include/keys/system_keyring.h | 7 + include/linux/asn1_ber_bytecode.h | 16 +- include/linux/lsm_audit.h | 7 + include/linux/lsm_hooks.h | 6 +- include/linux/oid_registry.h | 7 +- include/linux/ptrace.h | 1 + include/linux/seccomp.h | 2 +- include/linux/verify_pefile.h | 6 +- include/uapi/linux/ptrace.h | 6 +- init/Kconfig | 40 ++- kernel/Makefile | 97 ------ kernel/module_signing.c | 213 ++----------- kernel/ptrace.c | 13 + kernel/seccomp.c | 17 +- lib/asn1_decoder.c | 27 ++- scripts/.gitignore | 2 + scripts/Kbuild.include | 51 +++ scripts/Makefile | 4 + scripts/Makefile.modinst | 2 +- scripts/asn1_compiler.c | 248 +++++++++------ scripts/extract-cert.c | 166 ++++++++++ scripts/selinux/mdp/mdp.c | 1 + scripts/sign-file | 421 ------------------------ scripts/sign-file.c | 260 +++++++++++++++ security/Kconfig | 5 - security/lsm_audit.c | 15 + security/security.c | 11 +- security/selinux/avc.c | 418 +++++++++++++++++++++++- security/selinux/hooks.c | 147 ++++++--- security/selinux/include/avc.h | 6 + security/selinux/include/security.h | 32 ++- security/selinux/ss/avtab.c | 104 +++++- security/selinux/ss/avtab.h | 33 ++- security/selinux/ss/conditional.c | 32 ++- security/selinux/ss/conditional.h | 6 +- security/selinux/ss/policydb.c | 5 + security/selinux/ss/services.c | 213 +++++++++++-- security/selinux/ss/services.h | 6 + security/smack/smack.h | 66 ++++- security/smack/smack_access.c | 6 + security/smack/smack_lsm.c | 511 ++++++++++++++++++++++------- security/smack/smackfs.c | 436 ++++++++++++++++++++----- security/yama/Kconfig | 9 +- security/yama/yama_lsm.c | 32 +-- 76 files changed, 3588 insertions(+), 1406 deletions(-) create mode 100644 certs/Kconfig create mode 100644 certs/Makefile rename {kernel => certs}/system_certificates.S (80%) rename {kernel => certs}/system_keyring.c (68%) create mode 100644 crypto/asymmetric_keys/x509_akid.asn1 create mode 100644 scripts/extract-cert.c delete mode 100755 scripts/sign-file create mode 100755 scripts/sign-file.c -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/