Hi Linus,
Included in this pull request are just 3 patches. Other integrity
changes are being upstreamed via EFI (defines a common EFI secure and
trusted boot IMA policy) and BPF LSM (exporting the IMA file cache hash
info based on inode).
The 3 patches included in this pull request:
- bug fix: fail calculating the file hash, when a file not opened for
read and the attempt to re-open it for read fails.
- defer processing the "ima_appraise" boot command line option to avoid
enabling different modes (e.g. fix, log) to when the secure boot flag
is available on arm.
- defines "ima-buf" as the default IMA buffer measurement template in
preparation for the builtin integrity "critical data" policy.
thanks,
Mimi
The following changes since commit 3cea11cd5e3b00d91caf0b4730194039b45c5891:
Linux 5.10-rc2 (2020-11-01 14:43:51 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v5.11
for you to fetch changes up to 207cdd565dfc95a0a5185263a567817b7ebf5467:
ima: Don't modify file descriptor mode on the fly (2020-11-29 07:02:53 -0500)
----------------------------------------------------------------
integrity-v5.11
----------------------------------------------------------------
Ard Biesheuvel (1):
ima: defer arch_ima_get_secureboot() call to IMA init time
Lakshmi Ramasubramanian (1):
ima: select ima-buf template for buffer measurement
Roberto Sassu (1):
ima: Don't modify file descriptor mode on the fly
include/linux/ima.h | 6 ++++++
security/integrity/ima/ima.h | 1 +
security/integrity/ima/ima_appraise.c | 17 +++++++++++------
security/integrity/ima/ima_crypto.c | 20 +++++---------------
security/integrity/ima/ima_main.c | 25 ++++++++++---------------
security/integrity/ima/ima_policy.c | 2 +-
security/integrity/ima/ima_template.c | 26 ++++++++++++++++++++++++++
7 files changed, 60 insertions(+), 37 deletions(-)
