Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1277682pxf;
        Fri, 9 Apr 2021 04:44:31 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyb0Y4SgVzmXt2yIJcRGyJ68668Kge/EoUFd/MftqKo95FLpp41WVBjNorBlDeVwt2R5YL9
X-Received: by 2002:a65:4c0c:: with SMTP id u12mr12603768pgq.122.1617968671080;
        Fri, 09 Apr 2021 04:44:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1617968671; cv=none;
        d=google.com; s=arc-20160816;
        b=rE0dN6n73dC3ki8OEeimd4uSAcqQTnXxuTErSNw9Kld2r4mxnZlWOfYJXOgUjX/nrU
         jFfOc9GYG4dZAWMlZd3d/YUYzePD5jQp0v4X61ECkqf3DI5ti8wR5HPOW/rAZS8y2rXw
         auR1i6o2G+Efu98CeJMAH85/ZVn8hBFZBWYfV33WjxRjM6F9dZtapPVOIQL22faZi+hI
         lbbnF1F4zURFyvEad1lkUHfKoBgLS9C6GJ/wfJGmLAimoaI0recT52wrzBBdPfxIiluN
         Q6J/Cs3pSK13AZjMoAx5Gz3QhzOkk8UHfU0Prx+Sg/7jNIwKFvj7jkvoCrmRMReOT4hU
         Xv5g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=glMUAx8Xrq4nn9JffO8KlLmJnEupdvqQh5SYWiWfAT0=;
        b=Q8ueLD1OXOLncAB9t0z2gbKeTnvjWaHNhp2r0hb4Hj3Zem1Mqyi6RUn1PDsyDbBFO8
         bh4aqADPSLMY/E5rBT/LN//VJ00/6L0I6y4jcLjAWvw5SVWLPmB862Rndu6AfcXIFLYy
         yJ/3NL77Gw7C8QnQml367Q/lam5ba9XAUGr5fOz/LJz3xyz1hC0sAr7G2EptI2JC4zgD
         TXUR1USYRQI0NDlKvgeffEaT8UOduU8IiHm4t0oLR/H0fWh+S8d7M1U/XsW4zr8iP/+Y
         giU5RENnwxTsAvkm4YLKQyU7DzbrwqQvTZ0RMSln9YQwGZbgQM9yp20gWe0STowdvmcn
         9ALA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id 22si2538288pgh.227.2021.04.09.04.44.18;
        Fri, 09 Apr 2021 04:44:31 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233005AbhDILn7 (ORCPT <rfc822;linux.sihyeon@gmail.com>
        + 99 others); Fri, 9 Apr 2021 07:43:59 -0400
Received: from frasgout.his.huawei.com ([185.176.79.56]:2818 "EHLO
        frasgout.his.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231370AbhDILn5 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 9 Apr 2021 07:43:57 -0400
Received: from fraeml714-chm.china.huawei.com (unknown [172.18.147.207])
        by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4FGx1305h1z687PM;
        Fri,  9 Apr 2021 19:36:39 +0800 (CST)
Received: from fraphisprd00473.huawei.com (7.182.8.141) by
 fraeml714-chm.china.huawei.com (10.206.15.33) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2106.2; Fri, 9 Apr 2021 13:43:42 +0200
From:   Roberto Sassu <roberto.sassu@huawei.com>
To:     <zohar@linux.ibm.com>
CC:     <linux-integrity@vger.kernel.org>,
        <linux-security-module@vger.kernel.org>,
        <linux-kernel@vger.kernel.org>,
        Roberto Sassu <roberto.sassu@huawei.com>
Subject: [PATCH 0/7] ima/evm: Small enhancements
Date:   Fri, 9 Apr 2021 13:43:06 +0200
Message-ID: <20210409114313.4073-1-roberto.sassu@huawei.com>
X-Mailer: git-send-email 2.26.2
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type:   text/plain; charset=US-ASCII
X-Originating-IP: [7.182.8.141]
X-ClientProxiedBy: lhreml754-chm.china.huawei.com (10.201.108.204) To
 fraeml714-chm.china.huawei.com (10.206.15.33)
X-CFilter-Loop: Reflected
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This patch set provides some small enhancements for IMA and EVM.

Patch 1 avoids measurement and audit when access to the file will be denied
by IMA itself.

Patch 2 introduces a new policy keyword meta_immutable to protect the label
transition during binary execution.

Patch 3-5 add new hard-coded policies aiming at producing measurement or
enforcing access to files that likely are provided by software vendors.

Patch 6 increases the crypto resistance of EVM by allowing the choice of
the hash algorithm for the HMAC.

Patch 7 adds two new values for the evm= option in the kernel command line
to facilitate the setup of EVM.

Roberto Sassu (7):
  ima: Avoid measurement and audit if access to the file will be denied
  ima: Add meta_immutable appraisal type
  ima: Introduce exec_tcb and tmpfs policies
  ima: Introduce appraise_exec_tcb and appraise_tmpfs policies
  ima: Introduce appraise_exec_immutable policy
  evm: Allow choice of hash algorithm for HMAC
  evm: Extend evm= with allow_metadata_writes and complete values

 Documentation/ABI/testing/ima_policy          |  2 +-
 .../admin-guide/kernel-parameters.txt         | 36 +++++++-
 security/integrity/evm/Kconfig                | 34 +++++++
 security/integrity/evm/evm.h                  |  2 +
 security/integrity/evm/evm_crypto.c           | 55 ++++++++++--
 security/integrity/evm/evm_main.c             | 29 ++++--
 security/integrity/ima/ima_appraise.c         |  9 ++
 security/integrity/ima/ima_main.c             | 20 +++--
 security/integrity/ima/ima_policy.c           | 90 ++++++++++++++-----
 security/integrity/integrity.h                |  4 +-
 10 files changed, 232 insertions(+), 49 deletions(-)

-- 
2.26.2