Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750937AbdIJENB (ORCPT ); Sun, 10 Sep 2017 00:13:01 -0400 Received: from namei.org ([65.99.196.166]:34766 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750730AbdIJEM7 (ORCPT ); Sun, 10 Sep 2017 00:12:59 -0400 Date: Sun, 10 Sep 2017 14:12:22 +1000 (AEST) From: James Morris To: Linus Torvalds cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Mimi Zohar , Christoph Hellwig Subject: [GIT PULL] Security susbsystem updates for v4.14 (v2) Message-ID: User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 11882 Lines: 254 Here's an updated pull request with the IMA integrity_read() patch reverted. Note that this restores the orginal buggy behavior with XFS/IMA deadlock the builtin ima_tcb policy wand XFS rootfs. Everything else is the same as the last pull request. AppArmor: - Add mediation of mountpoints and signals - Add support for absolute root view based labels - add base infastructure for socket mediation LSM: - Remove unused security_task_create() hook TPM: - Some constification and minor updates. SELinux: - from Paul Moore: "A relatively quiet period for SELinux, 11 patches with only two/three having any substantive changes. These noteworthy changes include another tweak to the NNP/nosuid handling, per-file labeling for cgroups, and an object class fix for AF_UNIX/SOCK_RAW sockets; the rest of the changes are minor tweaks or administrative updates (Stephen's email update explains the file explosion in the diffstat)." Seccomp: - from Kees Cook: "Major additions: - sysctl and seccomp operation to discover available actions. (tyhicks) - new per-filter configurable logging infrastructure and sysctl. (tyhicks) - SECCOMP_RET_LOG to log allowed syscalls. (tyhicks) - SECCOMP_RET_KILL_PROCESS as the new strictest possible action. - self-tests for new behaviors." And nothing for Smack, for the first time perhaps. Please pull. The following changes since commit 520eccdfe187591a51ea9ab4c1a024ae4d0f68d9: Linux 4.13-rc2 (2017-07-23 16:15:17 -0700) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next for you to fetch changes up to 10e3781dda776f9bccb8aab31daa251dc149dd00: Revert "ima: use fs method to read integrity data" (2017-09-09 19:10:44 -0700) ---------------------------------------------------------------- Antonio Murdaca (1): selinux: allow per-file labeling for cgroupfs Arvind Yadav (3): tpm: tpm_crb: constify acpi_device_id. tpm: vtpm: constify vio_device_id selinux: constify nf_hook_ops Christoph Hellwig (1): ima: use fs method to read integrity data Christos Gkekas (1): apparmor: Fix logical error in verify_header() Dan Carpenter (1): apparmor: Fix an error code in aafs_create() Enric Balletbo i Serra (1): Documentation: tpm: add powered-while-suspended binding documentation Geert Uytterhoeven (1): apparmor: Fix shadowed local variable in unpack_trans_table() Hamza Attak (1): tpm: replace msleep() with usleep_range() in TPM 1.2/2.0 generic drivers James Morris (4): sync to Linus v4.13-rc2 for subsystem developers to work against Merge tag 'seccomp-next' of git://git.kernel.org/.../kees/linux into next Merge tag 'selinux-pr-20170831' of git://git.kernel.org/.../pcmoore/selinux into next Revert "ima: use fs method to read integrity data" John Johansen (13): apparmor: Redundant condition: prev_ns. in [label.c:1498] apparmor: add the ability to mediate signals apparmor: add mount mediation apparmor: cleanup conditional check for label in label_print apparmor: add support for absolute root view based labels apparmor: make policy_unpack able to audit different info messages apparmor: add more debug asserts to apparmorfs apparmor: add base infastructure for socket mediation apparmor: move new_null_profile to after profile lookup fns() apparmor: fix race condition in null profile creation apparmor: ensure unconfined profiles have dfas initialized apparmor: fix incorrect type assignment when freeing proxies apparmor: fix build failure on sparc caused by undeclared, signals Kees Cook (9): selftests/seccomp: Add tests for basic ptrace actions selftests/seccomp: Add simple seccomp overhead benchmark selftests/seccomp: Refactor RET_ERRNO tests seccomp: Provide matching filter for introspection seccomp: Rename SECCOMP_RET_KILL to SECCOMP_RET_KILL_THREAD seccomp: Introduce SECCOMP_RET_KILL_PROCESS seccomp: Implement SECCOMP_RET_KILL_PROCESS action selftests/seccomp: Test thread vs process killing samples: Unrename SECCOMP_RET_KILL Luis Ressel (1): selinux: Assign proper class to PF_UNIX/SOCK_RAW sockets Michal Hocko (1): selinux: use GFP_NOWAIT in the AVC kmem_caches Michal Suchanek (1): tpm: ibmvtpm: simplify crq initialization and document crq format Mimi Zohar (6): ima: don't remove the securityfs policy file libfs: define simple_read_iter_from_buffer efivarfs: replaces the read file operation with read_iter ima: always measure and audit files in policy ima: define "dont_failsafe" policy action rule ima: define "fs_unsafe" builtin policy Paul Moore (4): credits: update Paul Moore's info selinux: update the selinux info in MAINTAINERS MAINTAINERS: update the NetLabel and Labeled Networking information MAINTAINERS: update the NetLabel and Labeled Networking information Stefan Berger (1): security: fix description of values returned by cap_inode_need_killpriv Stephen Smalley (4): selinux: genheaders should fail if too many permissions are defined selinux: Generalize support for NNP/nosuid SELinux domain transitions selinux: update my email address lsm_audit: update my email address Tetsuo Handa (2): LSM: Remove security_task_create() hook. tomoyo: Update URLs in Documentation/admin-guide/LSM/tomoyo.rst Tyler Hicks (6): seccomp: Sysctl to display available actions seccomp: Operation for checking if an action is available seccomp: Sysctl to configure actions that are allowed to be logged seccomp: Selftest for detection of filter flag support seccomp: Filter flag to log all actions except SECCOMP_RET_ALLOW seccomp: Action to log before allowing CREDITS | 8 +- Documentation/ABI/testing/ima_policy | 3 +- Documentation/admin-guide/LSM/tomoyo.rst | 24 +- Documentation/admin-guide/kernel-parameters.txt | 8 +- .../devicetree/bindings/security/tpm/tpm-i2c.txt | 6 + Documentation/networking/filter.txt | 2 +- Documentation/sysctl/kernel.txt | 1 + Documentation/userspace-api/seccomp_filter.rst | 52 +- MAINTAINERS | 29 +- drivers/char/tpm/tpm-interface.c | 10 +- drivers/char/tpm/tpm.h | 9 +- drivers/char/tpm/tpm2-cmd.c | 2 +- drivers/char/tpm/tpm_crb.c | 2 +- drivers/char/tpm/tpm_ibmvtpm.c | 98 +-- drivers/char/tpm/tpm_infineon.c | 6 +- drivers/char/tpm/tpm_tis_core.c | 8 +- fs/efivarfs/file.c | 11 +- fs/libfs.c | 32 + include/linux/audit.h | 6 +- include/linux/fs.h | 2 + include/linux/lsm_audit.h | 2 +- include/linux/lsm_hooks.h | 7 - include/linux/seccomp.h | 3 +- include/linux/security.h | 6 - include/uapi/linux/seccomp.h | 23 +- kernel/fork.c | 4 - kernel/seccomp.c | 321 +++++++++- scripts/selinux/genheaders/genheaders.c | 7 +- security/apparmor/.gitignore | 1 + security/apparmor/Makefile | 43 +- security/apparmor/apparmorfs.c | 37 +- security/apparmor/domain.c | 4 +- security/apparmor/file.c | 30 + security/apparmor/include/apparmor.h | 2 + security/apparmor/include/audit.h | 39 +- security/apparmor/include/domain.h | 5 + security/apparmor/include/ipc.h | 6 + security/apparmor/include/label.h | 1 + security/apparmor/include/mount.h | 54 ++ security/apparmor/include/net.h | 114 ++++ security/apparmor/include/perms.h | 5 +- security/apparmor/include/policy.h | 13 + security/apparmor/include/sig_names.h | 98 +++ security/apparmor/ipc.c | 99 +++ security/apparmor/label.c | 36 +- security/apparmor/lib.c | 5 +- security/apparmor/lsm.c | 472 ++++++++++++++ security/apparmor/mount.c | 696 +++++++++++++++++++++ security/apparmor/net.c | 184 ++++++ security/apparmor/policy.c | 166 ++--- security/apparmor/policy_ns.c | 2 + security/apparmor/policy_unpack.c | 105 +++- security/commoncap.c | 6 +- security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_api.c | 67 +- security/integrity/ima/ima_crypto.c | 10 + security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_main.c | 19 +- security/integrity/ima/ima_policy.c | 41 +- security/lsm_audit.c | 2 +- security/security.c | 5 - security/selinux/avc.c | 16 +- security/selinux/hooks.c | 56 +- security/selinux/include/avc.h | 2 +- security/selinux/include/avc_ss.h | 2 +- security/selinux/include/classmap.h | 2 + security/selinux/include/objsec.h | 2 +- security/selinux/include/security.h | 4 +- security/selinux/ss/avtab.c | 2 +- security/selinux/ss/avtab.h | 2 +- security/selinux/ss/constraint.h | 2 +- security/selinux/ss/context.h | 2 +- security/selinux/ss/ebitmap.c | 2 +- security/selinux/ss/ebitmap.h | 2 +- security/selinux/ss/hashtab.c | 2 +- security/selinux/ss/hashtab.h | 2 +- security/selinux/ss/mls.c | 2 +- security/selinux/ss/mls.h | 2 +- security/selinux/ss/mls_types.h | 2 +- security/selinux/ss/policydb.c | 2 +- security/selinux/ss/policydb.h | 2 +- security/selinux/ss/services.c | 9 +- security/selinux/ss/services.h | 2 +- security/selinux/ss/sidtab.c | 2 +- security/selinux/ss/sidtab.h | 2 +- security/selinux/ss/symtab.c | 2 +- security/selinux/ss/symtab.h | 2 +- tools/testing/selftests/seccomp/Makefile | 18 +- .../testing/selftests/seccomp/seccomp_benchmark.c | 99 +++ tools/testing/selftests/seccomp/seccomp_bpf.c | 610 +++++++++++++++--- 90 files changed, 3457 insertions(+), 463 deletions(-) create mode 100644 security/apparmor/include/mount.h create mode 100644 security/apparmor/include/net.h create mode 100644 security/apparmor/include/sig_names.h create mode 100644 security/apparmor/mount.c create mode 100644 security/apparmor/net.c create mode 100644 tools/testing/selftests/seccomp/seccomp_benchmark.c