From patchwork Tue Jul 24 11:00:23 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Mimi Zohar <zohar@linux.ibm.com>
X-Patchwork-Id: 10541835
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 14BF6112B
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Tue, 24 Jul 2018 11:00:45 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 03B72286C2
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Tue, 24 Jul 2018 11:00:45 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id EC0562870C; Tue, 24 Jul 2018 11:00:44 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9398C286C2
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Tue, 24 Jul 2018 11:00:44 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2388251AbeGXMGg (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Tue, 24 Jul 2018 08:06:36 -0400
Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:45906 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S2388291AbeGXMGg (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Tue, 24 Jul 2018 08:06:36 -0400
Received: from pps.filterd (m0098396.ppops.net [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id
 w6OAwqr7122409
        for <linux-security-module@vger.kernel.org>;
 Tue, 24 Jul 2018 07:00:42 -0400
Received: from e06smtp05.uk.ibm.com (e06smtp05.uk.ibm.com [195.75.94.101])
        by mx0a-001b2d01.pphosted.com with ESMTP id 2ke1vbtdbu-1
        (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
        for <linux-security-module@vger.kernel.org>;
 Tue, 24 Jul 2018 07:00:42 -0400
Received: from localhost
        by e06smtp05.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
 Only! Violators will be prosecuted
        for <linux-security-module@vger.kernel.org> from
 <zohar@linux.ibm.com>;
        Tue, 24 Jul 2018 12:00:39 +0100
Received: from b06cxnps3074.portsmouth.uk.ibm.com (9.149.109.194)
        by e06smtp05.uk.ibm.com (192.168.101.135) with IBM ESMTP SMTP Gateway:
 Authorized Use Only! Violators will be prosecuted;
        (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256)
        Tue, 24 Jul 2018 12:00:36 +0100
Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com
 [9.149.105.61])
        by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with
 ESMTP id w6OB0ZNQ28901512
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
 verify=FAIL);
        Tue, 24 Jul 2018 11:00:35 GMT
Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 9142E11C050;
        Tue, 24 Jul 2018 14:00:49 +0100 (BST)
Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id E857F11C052;
        Tue, 24 Jul 2018 14:00:48 +0100 (BST)
Received: from localhost.localdomain (unknown [9.80.99.150])
        by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP;
        Tue, 24 Jul 2018 14:00:48 +0100 (BST)
Subject: [GIT PULL]  linux-integrity patches for 4.19
From: Mimi Zohar <zohar@linux.ibm.com>
To: James Morris <jmorris@namei.org>
Cc: linux-security-module <linux-security-module@vger.kernel.org>,
        linux-integrity <linux-integrity@vger.kernel.org>
Date: Tue, 24 Jul 2018 07:00:23 -0400
X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) 
Mime-Version: 1.0
X-TM-AS-GCONF: 00
x-cbid: 18072411-0020-0000-0000-000002AA68BA
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 18072411-0021-0000-0000-000020F6FA60
Message-Id: <1532430023.4127.10.camel@linux.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,,
 definitions=2018-07-24_04:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 priorityscore=1501
 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0
 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0
 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx
 scancount=1 engine=8.0.1-1806210000 definitions=main-1807240116
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Hi James,

This pull request adds support for EVM signatures based on larger
digests, contains a new audit record AUDIT_INTEGRITY_POLICY_RULE to
differentiate the IMA policy rules from the IMA-audit messages,
addresses two deadlocks due to either loading or searching for crypto
algorithms, and cleans up the audit messages.

New to 4.19, but not included in this pull request, is support for a
build time IMA policy.  Build time IMA policy rules are automatically
enabled on boot and persist after loading a custom policy.

Mimi

The following changes since commit
87ea58433208d17295e200d56be5e2a4fe4ce7d6:

  security: check for kstrdup() failure in lsm_append() (2018-07-17
21:27:06 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-
integrity.git next-integrity

for you to fetch changes up to
3dd0f18c70d94ca2432c78c5735744429f071b0b:

  EVM: fix return value check in evm_write_xattrs() (2018-07-22
14:49:11 -0400)

----------------------------------------------------------------
Matthew Garrett (2):
      evm: Don't deadlock if a crypto algorithm is unavailable
      evm: Allow non-SHA1 digital signatures

Mikhail Kurinnoi (1):
      integrity: prevent deadlock during digsig verification.

Stefan Berger (4):
      ima: Call audit_log_string() rather than logging it untrusted
      ima: Use audit_log_format() rather than audit_log_string()
      ima: Do not audit if CONFIG_INTEGRITY_AUDIT is not set
      ima: Differentiate auditing policy rules from "audit" actions

Sudeep Holla (1):
      integrity: silence warning when CONFIG_SECURITYFS is not enabled

Wei Yongjun (1):
      EVM: fix return value check in evm_write_xattrs()

 crypto/api.c                           |  2 +-
 include/linux/crypto.h                 |  5 ++++
 include/linux/integrity.h              | 13 +++++++++
 include/uapi/linux/audit.h             |  1 +
 security/integrity/digsig_asymmetric.c | 23 ++++++++++++++++
 security/integrity/evm/Kconfig         |  1 +
 security/integrity/evm/evm.h           | 10 +++++--
 security/integrity/evm/evm_crypto.c    | 50 ++++++++++++++++++-------
---------
 security/integrity/evm/evm_main.c      | 19 ++++++++-----
 security/integrity/evm/evm_secfs.c     |  4 +--
 security/integrity/iint.c              |  9 ++++--
 security/integrity/ima/Kconfig         |  1 +
 security/integrity/ima/ima_policy.c    |  9 ++++--
 security/integrity/integrity.h         | 15 ++++++++++
 security/integrity/integrity_audit.c   |  6 +---
 security/security.c                    |  7 ++++-
 16 files changed, 128 insertions(+), 47 deletions(-)
---
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html