Linux kernel documentation tree maintained by Jonathan Corbet http://mirrors.hust.edu.cn/git/lwn.git/atom?h=docs-4.16 2017-11-08T20:16:36+00:00 2017-11-08T20:16:36+00:00 Thomas Meyer thomas@m3y3r.de 2017-10-07T14:02:21+00:00 urn:sha1:39adb92598a7466e00f72bb8a197d8811017418a Bool initializations should use true and false. Bool tests don't need comparisons. Signed-off-by: Thomas Meyer <thomas@m3y3r.de> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2017-07-05T18:26:35+00:00 Linus Torvalds torvalds@linux-foundation.org 2017-07-05T18:26:35+00:00 urn:sha1:e24dd9ee5399747b71c1d982a484fc7601795f31 Pull security layer updates from James Morris: - a major update for AppArmor. From JJ: * several bug fixes and cleanups * the patch to add symlink support to securityfs that was floated on the list earlier and the apparmorfs changes that make use of securityfs symlinks * it introduces the domain labeling base code that Ubuntu has been carrying for several years, with several cleanups applied. And it converts the current mediation over to using the domain labeling base, which brings domain stacking support with it. This finally will bring the base upstream code in line with Ubuntu and provide a base to upstream the new feature work that Ubuntu carries. * This does _not_ contain any of the newer apparmor mediation features/controls (mount, signals, network, keys, ...) that Ubuntu is currently carrying, all of which will be RFC'd on top of this. - Notable also is the Infiniband work in SELinux, and the new file:map permission. From Paul: "While we're down to 21 patches for v4.13 (it was 31 for v4.12), the diffstat jumps up tremendously with over 2k of line changes. Almost all of these changes are the SELinux/IB work done by Daniel Jurgens; some other noteworthy changes include a NFS v4.2 labeling fix, a new file:map permission, and reporting of policy capabilities on policy load" There's also now genfscon labeling support for tracefs, which was lost in v4.1 with the separation from debugfs. - Smack incorporates a safer socket check in file_receive, and adds a cap_capable call in privilege check. - TPM as usual has a bunch of fixes and enhancements. - Multiple calls to security_add_hooks() can now be made for the same LSM, to allow LSMs to have hook declarations across multiple files. - IMA now supports different "ima_appraise=" modes (eg. log, fix) from the boot command line. * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (126 commits) apparmor: put back designators in struct initialisers seccomp: Switch from atomic_t to recount_t seccomp: Adjust selftests to avoid double-join seccomp: Clean up core dump logic IMA: update IMA policy documentation to include pcr= option ima: Log the same audit cause whenever a file has no signature ima: Simplify policy_func_show. integrity: Small code improvements ima: fix get_binary_runtime_size() ima: use ima_parse_buf() to parse template data ima: use ima_parse_buf() to parse measurements headers ima: introduce ima_parse_buf() ima: Add cgroups2 to the defaults list ima: use memdup_user_nul ima: fix up #endif comments IMA: Correct Kconfig dependencies for hash selection ima: define is_ima_appraise_enabled() ima: define Kconfig IMA_APPRAISE_BOOTPARAM option ima: define a set of appraisal rules requiring file signatures ima: extend the "ima_policy" boot command line to support multiple policies ... 2017-06-21T18:37:12+00:00 Thiago Jung Bauermann bauerman@linux.vnet.ibm.com 2017-06-08T01:49:11+00:00 urn:sha1:2663218ba6e3dd6f27df9664e00fa3eb63be3a3f If the func_tokens array uses the same indices as enum ima_hooks, policy_func_show can be a lot simpler, and the func_* enum becomes unnecessary. Also, if we use the same macro trick used by kernel_read_file_id_str we can use one hooks list for both the enum and the string array, making sure they are always in sync (suggested by Mimi Zohar). Finally, by using the printf pattern for the function token directly instead of using the pt macro we can simplify policy_func_show even further and avoid needing a temporary buffer. Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2017-06-21T18:37:12+00:00 Thiago Jung Bauermann bauerman@linux.vnet.ibm.com 2017-06-08T01:49:10+00:00 urn:sha1:bb543e3959b5909e7b5db4a216018c634a9d9898 These changes are too small to warrant their own patches: The keyid and sig_size members of struct signature_v2_hdr are in BE format, so use a type that makes this assumption explicit. Also, use beXX_to_cpu instead of __beXX_to_cpu to read them. Change integrity_kernel_read to take a void * buffer instead of char * buffer, so that callers don't have to use a cast if they provide a buffer that isn't a char *. Add missing #endif comment in ima.h pointing out which macro it refers to. Add missing fall through comment in ima_appraise.c. Constify mask_tokens and func_tokens arrays. Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2017-06-21T18:37:12+00:00 Laura Abbott labbott@redhat.com 2017-05-09T18:25:27+00:00 urn:sha1:82e3bb4d44be21daefe8af857a68d3c9118c1048 cgroups2 is beginning to show up in wider usage. Add it to the default nomeasure/noappraise list like other filesystems. Signed-off-by: Laura Abbott <labbott@redhat.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2017-06-21T18:37:12+00:00 Mimi Zohar zohar@linux.vnet.ibm.com 2017-04-21T22:58:27+00:00 urn:sha1:503ceaef8e2e7dbbdb04a867acc6fe4c548ede7f The builtin "ima_appraise_tcb" policy should require file signatures for at least a few of the hooks (eg. kernel modules, firmware, and the kexec kernel image), but changing it would break the existing userspace/kernel ABI. This patch defines a new builtin policy named "secure_boot", which can be specified on the "ima_policy=" boot command line, independently or in conjunction with the "ima_appraise_tcb" policy, by specifing ima_policy="appraise_tcb | secure_boot". The new appraisal rules requiring file signatures will be added prior to the "ima_appraise_tcb" rules. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Changelog: - Reference secure boot in the new builtin policy name. (Thiago Bauermann) 2017-06-21T18:37:12+00:00 Mimi Zohar zohar@linux.vnet.ibm.com 2017-04-24T16:04:09+00:00 urn:sha1:33ce9549cfa1e71d77bc91a2e67e65d693e2e53f Add support for providing multiple builtin policies on the "ima_policy=" boot command line. Use "|" as the delimitor separating the policy names. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2017-06-05T14:59:12+00:00 Christoph Hellwig hch@lst.de 2017-05-10T13:06:33+00:00 urn:sha1:85787090a21eb749d8b347eaf9ff1a455637473c For some file systems we still memcpy into it, but in various places this already allows us to use the proper uuid helpers. More to come.. Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Amir Goldstein <amir73il@gmail.com> Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com> (Changes to IMA/EVM) Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> 2017-06-05T14:59:11+00:00 Christoph Hellwig hch@lst.de 2017-06-01T05:00:26+00:00 urn:sha1:787d8c530af73257240fc0c0f60e296a83d5e5f4 Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Amir Goldstein <amir73il@gmail.com> Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> 2017-06-05T14:59:10+00:00 Christoph Hellwig hch@lst.de 2017-05-10T13:16:44+00:00 urn:sha1:1dd771eb0b09fe9c12ea58b18c676b32a528be39 This helper was only used by IMA of all things, which would get spurious errors if CONFIG_BLOCK is disabled. Just opencode the call there. Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Amir Goldstein <amir73il@gmail.com> Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>