• Linus Torvalds's avatar
    Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security · f4f27d00
    Linus Torvalds authored
    Pull security subsystem updates from James Morris:
     "Highlights:
    
       - A new LSM, "LoadPin", from Kees Cook is added, which allows forcing
         of modules and firmware to be loaded from a specific device (this
         is from ChromeOS, where the device as a whole is verified
         cryptographically via dm-verity).
    
         This is disabled by default but can be configured to be enabled by
         default (don't do this if you don't know what you're doing).
    
       - Keys: allow authentication data to be stored in an asymmetric key.
         Lots of general fixes and updates.
    
       - SELinux: add restrictions for loading of kernel modules via
         finit_module().  Distinguish non-init user namespace capability
         checks.  Apply execstack check on thread stacks"
    
    * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (48 commits)
      LSM: LoadPin: provide enablement CONFIG
      Yama: use atomic allocations when reporting
      seccomp: Fix comment typo
      ima: add support for creating files using the mknodat syscall
      ima: fix ima_inode_post_setattr
      vfs: forbid write access when reading a file into memory
      fs: fix over-zealous use of "const"
      selinux: apply execstack check on thread stacks
      selinux: distinguish non-init user namespace capability checks
      LSM: LoadPin for kernel file loading restrictions
      fs: define a string representation of the kernel_read_file_id enumeration
      Yama: consolidate error reporting
      string_helpers: add kstrdup_quotable_file
      string_helpers: add kstrdup_quotable_cmdline
      string_helpers: add kstrdup_quotable
      selinux: check ss_initialized before revalidating an inode label
      selinux: delay inode label lookup as long as possible
      selinux: don't revalidate an inode's label when explicitly setting it
      selinux: Change bool variable name to index.
      KEYS: Add KEYCTL_DH_COMPUTE command
      ...
    f4f27d00
namei.c 116 KB