Hi Linus,
Two IMA changes, one EVM change, a use after free bug fix, and a code cleanup to
address "-Wflex-array-member-not-at-end" warnings:
- The existing IMA {ascii, binary}_runtime_measurements lists include a hard
coded SHA1 hash. To address this limitation, define per TPM enabled hash
algorithm {ascii, binary}_runtime_measurements lists.
- Close an IMA integrity init_module syscall measurement gap by defining a new
critical-data record.
- Enable (partial) EVM support on stacked filesystems (overlayfs). Only EVM
portable & immutable file signatures are copied up, since they do not contain
filesystem specific metadata.
thanks,
Mimi
The following changes since commit fec50db7033ea478773b159e0e2efb135270e3b7:
Linux 6.9-rc3 (2024-04-07 13:22:46 -0700)
are available in the Git repository at:
ssh://gitolite@xxxxxxxxxxxxx/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v6.10
for you to fetch changes up to 9fa8e76250082a45d0d3dad525419ab98bd01658:
ima: add crypto agility support for template-hash algorithm (2024-04-12 09:59:04 -0400)
----------------------------------------------------------------
integrity-v6.10
----------------------------------------------------------------
Enrico Bravi (1):
ima: add crypto agility support for template-hash algorithm
Gustavo A. R. Silva (1):
integrity: Avoid -Wflex-array-member-not-at-end warnings
Mimi Zohar (1):
ima: define an init_module critical data record
Stefan Berger (11):
ima: Fix use-after-free on a dentry's dname.name
ima: Rename backing_inode to real_inode
security: allow finer granularity in permitting copy-up of security xattrs
evm: Implement per signature type decision in security_inode_copy_up_xattr
evm: Use the metadata inode to calculate metadata hash
ima: Move file-change detection variables into new structure
evm: Store and detect metadata inode attributes changes
ima: re-evaluate file integrity on file metadata change
evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509
fs: Rename SB_I_EVM_UNSUPPORTED to SB_I_EVM_HMAC_UNSUPPORTED
evm: Rename is_unsupported_fs to is_unsupported_hmac_fs
fs/overlayfs/copy_up.c | 2 +-
fs/overlayfs/super.c | 2 +-
include/linux/evm.h | 8 ++
include/linux/fs.h | 2 +-
include/linux/integrity.h | 34 ++++++++
include/linux/lsm_hook_defs.h | 3 +-
include/linux/security.h | 4 +-
security/integrity/evm/evm.h | 8 +-
security/integrity/evm/evm_crypto.c | 25 ++++--
security/integrity/evm/evm_main.c | 92 +++++++++++++++-----
security/integrity/ima/ima.h | 12 ++-
security/integrity/ima/ima_api.c | 32 ++++---
security/integrity/ima/ima_appraise.c | 4 +-
security/integrity/ima/ima_crypto.c | 7 +-
security/integrity/ima/ima_fs.c | 134 +++++++++++++++++++++++++++---
security/integrity/ima/ima_iint.c | 2 +-
security/integrity/ima/ima_init.c | 6 +-
security/integrity/ima/ima_kexec.c | 1 +
security/integrity/ima/ima_main.c | 44 +++++++---
security/integrity/ima/ima_template_lib.c | 27 ++++--
security/integrity/integrity.h | 12 ++-
security/security.c | 5 +-
security/selinux/hooks.c | 2 +-
security/smack/smack_lsm.c | 2 +-
24 files changed, 374 insertions(+), 96 deletions(-)
