lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <alpine.LRH.2.20.1612120908020.8385@namei.org>
Date:   Mon, 12 Dec 2016 09:21:34 +1100 (AEDT)
From:   James Morris <jmorris@...ei.org>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
cc:     linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: [GIT PULL] Security subsystem updates for 4.10

Generally pretty quiet for this release.

Highlights:

- Yama: 
  - allow ptrace access for original parent after re-parenting

- TPM:
  - add documentation
  - many bugfixes & cleanups
  - define a generic open() method for ascii & bios measurements
 
- Integrity:
  - Harden against malformed xattrs

- SELinux:
  - bugfixes & cleanups

- Smack:
  - Remove unnecessary smack_known_invalid label
  - Do not apply star label in smack_setprocattr hook
  - parse mnt opts after privileges check (fixes unpriv DoS vuln)


Please pull.

---
The following changes since commit 69973b830859bc6529a7a0468ba0d80ee5117826:

  Linux 4.9 (2016-12-11 11:17:54 -0800)

are available in the git repository at:
  git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next

Andreas Gruenbacher (4):
      selinux: Minor cleanups
      proc: Pass file mode to proc_pid_make_inode
      selinux: Clean up initialization of isec->sclass
      selinux: Convert isec->lock into a spinlock

Baruch Siach (2):
      Doc: security: keys-trusted: drop duplicate blobauth entry
      char: tpm: fix kerneldoc tpm2_unseal_trusted name typo

Casey Schaufler (2):
      Smack: ipv6 label match fix
      Smack: Remove unnecessary smack_known_invalid

Colin Ian King (1):
      tpm: return -ENODEV if np is not set

Ed Swierk (1):
      tpm: Clean up reading of timeout and duration capabilities

Eric Richter (1):
      ima: fix memory leak in ima_release_policy

Himanshu Shukla (3):
      smack: parse mnt opts after privileges check
      SMACK: Do not apply star label in smack_setprocattr hook
      SMACK: Fix the memory leak in smack_cred_prepare() hook

James Morris (5):
      Merge tag 'seccomp-v4.9-rc4' of git://git.kernel.org/.../kees/linux into ra-next
      Merge commit 'v4.9-rc5' into next
      Merge remote branch 'smack/smack-for-4.10' into next
      Merge branch 'next' of git://git.kernel.org/.../zohar/linux-integrity into next
      Merge branch 'stable-4.10' of git://git.infradead.org/users/pcmoore/selinux into next

Jarkko Sakkinen (4):
      tpm: sanitize constant expressions
      tpm, tpm_vtpm_proxy: add kdoc comments for VTPM_PROXY_IOC_NEW_DEV
      tpm: replace dynamically allocated bios_dir with a static array
      tpm: drop tpm1_chip_register(/unregister)

Jason Gunthorpe (7):
      tpm tis: Do not print timeout messages twice
      tpm xen: Remove bogus tpm_chip_unregister
      tpm: Get rid of TPM_CHIP_FLAG_REGISTERED
      tpm_tis: Allow tpm_tis to be bound using DT
      tpm: Fix handling of missing event log
      tpm: vtpm_proxy: conditionally call tpm_chip_unregister
      tpm: adjust return value of tpm_read_log

Josh Stone (1):
      Yama: allow access for the current ptrace parent

Josh Zimmerman (1):
      tpm_tis: Check return values from get_burstcount.

Mickaël Salaün (1):
      seccomp: Fix documentation

Mimi Zohar (2):
      Revert "ima: limit file hash setting by user to fix and log modes"
      ima: include the reason for TPM-bypass mode

Nayna Jain (9):
      Documentation: tpm: add the IBM Virtual TPM device tree binding documentation
      Documentation: tpm: add the Physical TPM device tree binding documentation
      tpm: define a generic open() method for ascii & bios measurements
      tpm: replace symbolic permission with octal for securityfs files
      tpm: have event log use the tpm_chip
      tpm: fix the missing .owner in tpm_bios_measurements_ops
      tpm: redefine read_log() to handle ACPI/OF at runtime
      tpm: replace of_find_node_by_name() with dev of_node property
      tpm: cleanup of printk error messages

Peter Huewe (1):
      char/tpm: Check return code of wait_for_tpm_stat

Ricky Zhou (3):
      samples/seccomp: Fix hostprogs variable
      samples/seccomp: Enable PR_SET_NO_NEW_PRIVS in dropper
      samples/seccomp: Support programs with >256 instructions

Seth Forshee (1):
      security/integrity: Harden against malformed xattrs

Stefan Berger (2):
      tpm: Only call pm_runtime_get_sync if device has a parent
      tpm: Check the bios_dir entry for NULL before accessing it

Stephen Smalley (2):
      selinux: normalize input to /sys/fs/selinux/enforce
      selinux: keep SELinux in sync with new capability definitions

Tetsuo Handa (2):
      SELinux: Use GFP_KERNEL for selinux_parse_opts_str().
      Smack: Use GFP_KERNEL for smack_parse_opts_str().

Winkler, Tomas (5):
      tpm/tpm_crb: implement tpm crb idle state
      tmp/tpm_crb: fix Intel PTT hw bug during idle state
      tpm/tpm_crb: open code the crb_init into acpi_add
      tmp/tpm_crb: implement runtime pm for tpm_crb
      tpm: place kdoc just above tpm_pcr_extend

jooseong lee (1):
      Smack: Assign smack_known_web label for kernel thread's

 .../devicetree/bindings/security/tpm/ibmvtpm.txt   |   41 ++++
 .../devicetree/bindings/security/tpm/tpm-i2c.txt   |   21 ++
 .../bindings/security/tpm/tpm_tis_mmio.txt         |   25 ++
 Documentation/security/keys-trusted-encrypted.txt  |    2 -
 drivers/char/tpm/Kconfig                           |    2 +-
 drivers/char/tpm/Makefile                          |   14 +-
 drivers/char/tpm/tpm-chip.c                        |   38 +---
 drivers/char/tpm/tpm-interface.c                   |  110 ++++------
 drivers/char/tpm/tpm-sysfs.c                       |    7 +-
 drivers/char/tpm/tpm.h                             |   41 +++--
 drivers/char/tpm/tpm2-cmd.c                        |    2 +-
 drivers/char/tpm/tpm_acpi.c                        |   46 ++--
 drivers/char/tpm/tpm_crb.c                         |  173 +++++++++++++--
 drivers/char/tpm/tpm_eventlog.c                    |  230 ++++++++++----------
 drivers/char/tpm/tpm_eventlog.h                    |   22 +-
 drivers/char/tpm/tpm_of.c                          |   48 ++---
 drivers/char/tpm/tpm_tis.c                         |   11 +
 drivers/char/tpm/tpm_tis_core.c                    |   64 ++++--
 drivers/char/tpm/tpm_vtpm_proxy.c                  |   85 +++++---
 drivers/char/tpm/xen-tpmfront.c                    |    1 -
 fs/proc/base.c                                     |   23 +--
 fs/proc/fd.c                                       |    6 +-
 fs/proc/internal.h                                 |    2 +-
 fs/proc/namespaces.c                               |    3 +-
 include/uapi/linux/vtpm_proxy.h                    |   23 ++-
 kernel/seccomp.c                                   |    7 +-
 samples/seccomp/Makefile                           |    4 +-
 samples/seccomp/bpf-helper.c                       |   38 ++--
 samples/seccomp/dropper.c                          |    7 +-
 security/integrity/digsig.c                        |    2 +-
 security/integrity/evm/evm_main.c                  |    4 +
 security/integrity/ima/ima_appraise.c              |   13 +-
 security/integrity/ima/ima_fs.c                    |    2 +-
 security/integrity/ima/ima_init.c                  |    3 +-
 security/selinux/hooks.c                           |  120 ++++++----
 security/selinux/include/classmap.h                |    4 +
 security/selinux/include/objsec.h                  |    5 +-
 security/selinux/selinuxfs.c                       |    6 +-
 security/smack/smack.h                             |    1 -
 security/smack/smack_access.c                      |    7 +-
 security/smack/smack_lsm.c                         |  117 +++++------
 security/smack/smackfs.c                           |    3 -
 security/yama/yama_lsm.c                           |   16 ++-
 43 files changed, 832 insertions(+), 567 deletions(-)
 create mode 100644 Documentation/devicetree/bindings/security/tpm/ibmvtpm.txt
 create mode 100644 Documentation/devicetree/bindings/security/tpm/tpm-i2c.txt
 create mode 100644 Documentation/devicetree/bindings/security/tpm/tpm_tis_mmio.txt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ