Hi Linus,
New is IMA support for measuring kernel critical data, as per usual
based on policy. The first example measures the in memory SELinux
policy. The second example measures the kernel version.
In addition are four bug fixes to address memory leaks and a missing
"static"
function declaration.
[FYI: Stephen is carrying a manual merge of the pidfd tree with the
integrity tree.]
thanks,
Mimi
The following changes since commit 7c53f6b671f4aba70ff15e1b05148b10d58c2837:
Linux 5.11-rc3 (2021-01-10 14:34:50 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v5.12
for you to fetch changes up to f6692213b5045dc461ce0858fb18cf46f328c202:
integrity: Make function integrity_add_key() static (2021-02-12 11:11:59 -0500)
----------------------------------------------------------------
integrity-v5.12
----------------------------------------------------------------
Dinghao Liu (1):
evm: Fix memleak in init_desc
Lakshmi Ramasubramanian (4):
IMA: define a builtin critical data measurement policy
selinux: include a consumer of the new IMA critical data hook
ima: Free IMA measurement buffer on error
ima: Free IMA measurement buffer after kexec syscall
Mimi Zohar (2):
Merge branch 'measure-critical-data' into next-integrity
Merge branch 'ima-kexec-fixes' into next-integrity
Raphael Gianotti (1):
IMA: Measure kernel version in early boot
Tushar Sugandhi (6):
IMA: generalize keyring specific measurement constructs
IMA: add support to measure buffer data hash
IMA: define a hook to measure kernel integrity critical data
IMA: add policy rule to measure critical data
IMA: limit critical data measurement based on a label
IMA: extend critical data hook to limit the measurement based on a label
Wei Yongjun (1):
integrity: Make function integrity_add_key() static
Documentation/ABI/testing/ima_policy | 5 +-
Documentation/admin-guide/kernel-parameters.txt | 5 +-
include/linux/ima.h | 10 +++
include/linux/kexec.h | 5 ++
kernel/kexec_file.c | 5 ++
security/integrity/digsig.c | 4 +-
security/integrity/evm/evm_crypto.c | 7 +-
security/integrity/ima/ima.h | 8 +-
security/integrity/ima/ima_api.c | 8 +-
security/integrity/ima/ima_appraise.c | 2 +-
security/integrity/ima/ima_asymmetric_keys.c | 2 +-
security/integrity/ima/ima_init.c | 5 ++
security/integrity/ima/ima_kexec.c | 3 +
security/integrity/ima/ima_main.c | 59 ++++++++++--
security/integrity/ima/ima_policy.c | 115 +++++++++++++++++++-----
security/integrity/ima/ima_queue_keys.c | 3 +-
security/selinux/Makefile | 2 +
security/selinux/ima.c | 44 +++++++++
security/selinux/include/ima.h | 24 +++++
security/selinux/include/security.h | 3 +-
security/selinux/ss/services.c | 64 +++++++++++--
21 files changed, 329 insertions(+), 54 deletions(-)
create mode 100644 security/selinux/ima.c
create mode 100644 security/selinux/include/ima.h
