• Linus Torvalds's avatar
    Merge branch 'next-integrity' of... · f8cf2f16
    Linus Torvalds authored
    Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
    
    Pull integrity updates from James Morris:
     "A mixture of bug fixes, code cleanup, and continues to close
      IMA-measurement, IMA-appraisal, and IMA-audit gaps.
    
      Also note the addition of a new cred_getsecid LSM hook by Matthew
      Garrett:
    
         For IMA purposes, we want to be able to obtain the prepared secid
         in the bprm structure before the credentials are committed. Add a
         cred_getsecid hook that makes this possible.
    
      which is used by a new CREDS_CHECK target in IMA:
    
         In ima_bprm_check(), check with both the existing process
         credentials and the credentials that will be committed when the new
         process is started. This will not change behaviour unless the
         system policy is extended to include CREDS_CHECK targets -
         BPRM_CHECK will continue to check the same credentials that it did
         previously"
    
    * 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
      ima: Fallback to the builtin hash algorithm
      ima: Add smackfs to the default appraise/measure list
      evm: check for remount ro in progress before writing
      ima: Improvements in ima_appraise_measurement()
      ima: Simplify ima_eventsig_init()
      integrity: Remove unused macro IMA_ACTION_RULE_FLAGS
      ima: drop vla in ima_audit_measurement()
      ima: Fix Kconfig to select TPM 2.0 CRB interface
      evm: Constify *integrity_status_msg[]
      evm: Move evm_hmac and evm_hash from evm_main.c to evm_crypto.c
      fuse: define the filesystem as untrusted
      ima: fail signature verification based on policy
      ima: clear IMA_HASH
      ima: re-evaluate files on privileged mounted filesystems
      ima: fail file signature verification on non-init mounted filesystems
      IMA: Support using new creds in appraisal policy
      security: Add a cred_getsecid hook
    f8cf2f16
security.c 44.4 KB