Hi Linus,
Two new features - measuring certificates and querying IMA for a file
hash - and three bug fixes are included in this pull request.
- Measuring certificates is like the rest of IMA, based on policy, but
requires loading a custom policy. Certificates loaded onto a keyring,
for example during early boot, before a custom policy has been loaded,
are queued and only processed after loading the custom policy.
- IMA calculates and caches files hashes. Other kernel subsystems,
and possibly kernel modules, are interested in accessing these cached
file hashes.
The bug fixes prevents classifying a file short read (e.g. shutdown)
as an invalid file signature, adds a missing blank when displaying the
securityfs policy rules containing LSM labels, and, lastly, fixes the
handling of the IMA policy information for unknown LSM labels.
thanks,
Mimi
The following changes since commit e42617b825f8073569da76dc4510bfa019b1c35a:
Linux 5.5-rc1 (2019-12-08 14:57:55 -0800)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity
for you to fetch changes up to d54e17b4066612d88c4ef3e5fb3115f12733763d:
Merge branch 'next-integrity.defer-measuring-keys' into next-integrity (2020-01-23 17:24:35 -0500)
----------------------------------------------------------------
Clay Chang (1):
ima: Add a space after printing LSM rules for readability
Florent Revest (1):
ima: add the ability to query the cached hash of a given file
Janne Karhunen (1):
ima: ima/lsm policy rule loading logic bug fixes
Lakshmi Ramasubramanian (11):
IMA: Check IMA policy flag
IMA: Add KEY_CHECK func to measure keys
IMA: Define an IMA hook to measure keys
KEYS: Call the IMA hook to measure keys
IMA: Add support to limit measuring keys
IMA: Read keyrings= option from the IMA policy
IMA: fix measuring asymmetric keys Kconfig
IMA: pre-allocate buffer to hold keyrings string
IMA: Define workqueue for early boot key measurements
IMA: Call workqueue functions to measure queued keys
IMA: Defined delayed workqueue to free the queued keys
Mimi Zohar (2):
Merge branch 'next-integrity.measure-keys' into next-integrity
Merge branch 'next-integrity.defer-measuring-keys' into next-integrity
Patrick Callaghan (1):
ima: avoid appraise error for hash calc interrupt
Documentation/ABI/testing/ima_policy | 16 ++-
include/linux/ima.h | 20 ++++
security/integrity/ima/Kconfig | 12 ++
security/integrity/ima/Makefile | 2 +
security/integrity/ima/ima.h | 33 +++++-
security/integrity/ima/ima_api.c | 8 +-
security/integrity/ima/ima_appraise.c | 4 +-
security/integrity/ima/ima_asymmetric_keys.c | 66 +++++++++++
security/integrity/ima/ima_crypto.c | 4 +-
security/integrity/ima/ima_init.c | 8 +-
security/integrity/ima/ima_main.c | 61 +++++++++-
security/integrity/ima/ima_policy.c | 165 ++++++++++++++++++++++----
security/integrity/ima/ima_queue_keys.c | 171 +++++++++++++++++++++++++++
security/keys/key.c | 10 ++
14 files changed, 540 insertions(+), 40 deletions(-)
create mode 100644 security/integrity/ima/ima_asymmetric_keys.c
create mode 100644 security/integrity/ima/ima_queue_keys.c
