Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1360646imm; Wed, 15 Aug 2018 16:27:51 -0700 (PDT) X-Google-Smtp-Source: AA+uWPxPI7mFCiK+9+ABWVeEkUKY+g/+jgpKC/vsPiBMdbvNHGDR+2C3ZzEYqcJBKxb574LHolhC X-Received: by 2002:a65:5304:: with SMTP id m4-v6mr26406690pgq.250.1534375671025; Wed, 15 Aug 2018 16:27:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534375671; cv=none; d=google.com; s=arc-20160816; b=gy0LcEfhjfkMGyXkw8waxt+5EeMMRTsBeZwN5HP6qvk+LoG6QNlWy6gykhHg/nTGVF BiGCU5QkKEEcbYOerb+sSgmJabe8x0+wjHAUyDU6AX34d0IzmdGtZFin206D666DzEpQ CxR/RE1yHkKGYH0yV7+WWyqPazvpuFX2QttVavnqCh4KNupVX7SxJyn1R9agxdvZM+9x np4MGKHFIsuwfI+iK/IlItbYoXs6/kS0H6d2OPaGs7igbM4m6zGfns4BeEP+9gDzibjU m7u3qDmnM8LYJpbZhPCQ73WMkrGQXZ6d2IIIncAK3gG+qoYJDDhhpn9N6pmMTY/TiKwI gAAQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:message-id :subject:cc:to:from:date:arc-authentication-results; bh=/Lr05OP5V8eKw5pDNyXy0gmdpzQBUJUG/uWUBXRzqVc=; b=MwhFyEayz5t2mlhkuXtHS1YhkyZv8bSnzXou1PoHtvaNn8t6bg0TGzyblmCe5EL1qm M/RrtkCW55QIffwwc96NRSpK9JbXPUZZyGUjYIszgrTSc8Mhb03G8T12wXUVa87xzuoV Hf4gGR1hWhjbRdCeWL+0pFbj++mP/O77ObVIro53fY32gGHC6hmSz6VHC9g7rusrzmn3 9W44Te3SQ81/xquB1suk0tsWYymzCVFEjA2PIWidTW7/wobboN79iu2QhptGpFqXg2sd Nh39v7V1PSC53lNBA6Be4sHgskjAx3uaJDYueartqzqKQP1SWjxorI+1Z2clB/N+DYaM V3LA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w1-v6si24444541pfl.215.2018.08.15.16.27.36; Wed, 15 Aug 2018 16:27:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728441AbeHPBnN (ORCPT + 99 others); Wed, 15 Aug 2018 21:43:13 -0400 Received: from namei.org ([65.99.196.166]:43388 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727075AbeHPBnM (ORCPT ); Wed, 15 Aug 2018 21:43:12 -0400 Received: from localhost (localhost [127.0.0.1]) by namei.org (8.14.4/8.14.4) with ESMTP id w7FMmxCR026126; Wed, 15 Aug 2018 22:48:59 GMT Date: Thu, 16 Aug 2018 08:48:59 +1000 (AEST) From: James Morris To: Linus Torvalds cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [GIT PULL] security subsystem: Integrity updates for v4.19 Message-ID: User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From Mimi Zohar: "This pull request adds support for EVM signatures based on larger digests, contains a new audit record AUDIT_INTEGRITY_POLICY_RULE to differentiate the IMA policy rules from the IMA-audit messages, addresses two deadlocks due to either loading or searching for crypto algorithms, and cleans up the audit messages." The following changes since commit 87ea58433208d17295e200d56be5e2a4fe4ce7d6: security: check for kstrdup() failure in lsm_append() (2018-07-17 21:27:06 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-integrity for you to fetch changes up to 3dd0f18c70d94ca2432c78c5735744429f071b0b: EVM: fix return value check in evm_write_xattrs() (2018-07-22 14:49:11 -0400) ---------------------------------------------------------------- Matthew Garrett (2): evm: Don't deadlock if a crypto algorithm is unavailable evm: Allow non-SHA1 digital signatures Mikhail Kurinnoi (1): integrity: prevent deadlock during digsig verification. Stefan Berger (4): ima: Call audit_log_string() rather than logging it untrusted ima: Use audit_log_format() rather than audit_log_string() ima: Do not audit if CONFIG_INTEGRITY_AUDIT is not set ima: Differentiate auditing policy rules from "audit" actions Sudeep Holla (1): integrity: silence warning when CONFIG_SECURITYFS is not enabled Wei Yongjun (1): EVM: fix return value check in evm_write_xattrs() crypto/api.c | 2 +- include/linux/crypto.h | 5 ++++ include/linux/integrity.h | 13 +++++++++ include/uapi/linux/audit.h | 1 + security/integrity/digsig_asymmetric.c | 23 ++++++++++++++++ security/integrity/evm/Kconfig | 1 + security/integrity/evm/evm.h | 10 +++++-- security/integrity/evm/evm_crypto.c | 50 ++++++++++++++++++---------------- security/integrity/evm/evm_main.c | 19 ++++++++----- security/integrity/evm/evm_secfs.c | 4 +-- security/integrity/iint.c | 9 ++++-- security/integrity/ima/Kconfig | 1 + security/integrity/ima/ima_policy.c | 9 ++++-- security/integrity/integrity.h | 15 ++++++++++ security/integrity/integrity_audit.c | 6 +--- security/security.c | 7 ++++- 16 files changed, 128 insertions(+), 47 deletions(-)