Received: by 10.223.185.116 with SMTP id b49csp1060480wrg; Fri, 23 Feb 2018 11:11:23 -0800 (PST) X-Google-Smtp-Source: AH8x225Y5ZE7afzqXIs7N/YbRWaZr2T3phd8Z4vKsES/ND8qRpyhNqkKQsNjoRSrcDy0M/+igFmk X-Received: by 2002:a17:902:8341:: with SMTP id z1-v6mr2672345pln.386.1519413083598; Fri, 23 Feb 2018 11:11:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519413083; cv=none; d=google.com; s=arc-20160816; b=IoH3I+exHf0ndl1QeiNt0siaZbxOxjnQiUQ94idHjjoUpglbs7kH30BETdVMp0ysFP buZdvF9k+uJtfYbR+bJgvYNdOhvn2Us3UWrc36tnzrcakU2gO1648OCxjqfCKdTApBFd 5N90rkJ4S9qZVcB1YfOCocHt1dDT5Bt7toBI2kiPA4f/bnKerlFWlz7KJtPbPyXM5xq/ euStHILPlWHOLAsR2/o5CG9ZVBTHYVzVvpQTUDUbyzBCF19Whko5AYOKMZZxpqHT7jVI 3M4+Mlzw/GZhN3bYUXTT6H5AoKM555MtzohgmlF6GYgklfn4gPry3N09e8WRGxdqmYJk ITqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:message-id :subject:cc:to:from:date:arc-authentication-results; bh=07CRYMWyqsjHZmwpoYQD91zOoqCwZPlF6TdQF4/QXFQ=; b=OkxsWg7BnkG8J1i+CVmpKEVRr8tdSSvcGpgV5rqcuxXey03p3spDbzI0fr4VRDnnA4 jV7E7QWXwsS2hPvHivqoIPB0S5R8y+W07piO/IEU9uLvOkhJ9HFpWhod0yF45YncrxzY 6mnCsAXvMgZ3CObt7RftKCe3d+H3CvfNkd95Y3QlfKRQh/mlJPCNQO0A7q1v1reSrlSf aQpYBYK3hNQbe/2nzMAY84cc01o8Rmc4w8KRYODA2elvsKzHRmK/MJLCVxuMC6mp/uUT 8k7ybidsq6jFO7cUNu5a8wVgPmHLKu2U1aJpGycGHSHTMTKZ83bRr9Swm81LTP+TcTR7 hw7Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t18si2242938pfg.246.2018.02.23.11.11.06; Fri, 23 Feb 2018 11:11:23 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965329AbeBWTK3 (ORCPT + 99 others); Fri, 23 Feb 2018 14:10:29 -0500 Received: from namei.org ([65.99.196.166]:50440 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965202AbeBWTK1 (ORCPT ); Fri, 23 Feb 2018 14:10:27 -0500 Received: from localhost (localhost [127.0.0.1]) by namei.org (8.14.4/8.14.4) with ESMTP id w1NJANdO003453; Fri, 23 Feb 2018 19:10:23 GMT Date: Sat, 24 Feb 2018 06:10:23 +1100 (AEDT) From: James Morris To: Linus Torvalds cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [GIT PULL] Security subsystem fixes for v4.16-rc3 Message-ID: User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Please pull these updates, which include: - Keys fixes via David Howells: "Here's a collection of fixes for Linux keyrings, mostly thanks to Eric Biggers, if you could pass them along to Linus. They include: (1) Fix some PKCS#7 verification issues. (2) Fix handling of unsupported crypto in X.509. (3) Fix too-large allocation in big_key." - Seccomp updates via Kees Cook: "Please pull these seccomp changes for v4.16-rc3. These are fixes for the get_metadata interface that landed during -rc1. While the new selftest is strictly not a bug fix, I think it's in the same spirit of avoiding bugs." And also an IMA build fix from Randy Dunlap. --- The following changes since commit af3e79d29555b97dd096e2f8e36a0f50213808a8: Merge tag 'leds_for-4.16-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds (2018-02-20 10:05:02 -0800) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git fixes-v4.16-rc3 for you to fetch changes up to 120f3b11ef88fc38ce1d0ff9c9a4b37860ad3140: integrity/security: fix digsig.c build error with header file (2018-02-22 20:09:08 -0800) ---------------------------------------------------------------- David Howells (1): KEYS: Use individual pages in big_key for crypto buffers Eric Biggers (5): PKCS#7: fix certificate chain verification PKCS#7: fix certificate blacklisting PKCS#7: fix direct verification of SignerInfo signature X.509: fix BUG_ON() when hash algorithm is unsupported X.509: fix NULL dereference when restricting key with unsupported_sig James Morris (2): Merge tag 'seccomp-v4.16-rc3' of https://git.kernel.org/.../kees/linux into fixes-v4.16-rc3 Merge tag 'keys-fixes-20180222-2' of https://git.kernel.org/.../dhowells/linux-fs into fixes-v4.16-rc3 Randy Dunlap (1): integrity/security: fix digsig.c build error with header file Tycho Andersen (3): seccomp, ptrace: switch get_metadata types to arch independent ptrace, seccomp: tweak get_metadata behavior slightly seccomp: add a selftest for get_metadata crypto/asymmetric_keys/pkcs7_trust.c | 1 + crypto/asymmetric_keys/pkcs7_verify.c | 12 +-- crypto/asymmetric_keys/public_key.c | 4 +- crypto/asymmetric_keys/restrict.c | 21 +++-- include/uapi/linux/ptrace.h | 4 +- kernel/seccomp.c | 6 +- security/integrity/digsig.c | 1 + security/keys/big_key.c | 110 ++++++++++++++++++++------ tools/testing/selftests/seccomp/seccomp_bpf.c | 61 ++++++++++++++ 9 files changed, 179 insertions(+), 41 deletions(-)