lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <221392a7698a16d1844ba2b6f80669e635babf7a.camel@linux.ibm.com>
Date:   Thu, 06 Aug 2020 15:06:51 -0400
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     linux-integrity <linux-integrity@...r.kernel.org>,
        linux-kernel <linux-kernel@...r.kernel.org>
Subject: [GIT PULL] integrity subsystem updates for v5.9

Hi Linus,

The nicest change is the IMA policy rule checking.  The other changes
include allowing the kexec boot cmdline line measure policy rules to be
defined in terms of the inode associated with the kexec kernel image,
making the IMA_APPRAISE_BOOTPARAM, which governs the IMA appraise mode
(log, fix, enforce), a runtime decision based on the secure boot mode
of the system, and including errno in the audit log.

thanks,

Mimi


The following changes since commit 48778464bb7d346b47157d21ffde2af6b2d39110:

  Linux 5.8-rc2 (2020-06-21 15:45:29 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v5.9

for you to fetch changes up to 3db0d0c276a752af39beb5ca7424cb659aa005bb:

  integrity: remove redundant initialization of variable ret (2020-07-27 16:52:09 -0400)

----------------------------------------------------------------
integrity-v5.9

----------------------------------------------------------------
Bruno Meneguele (1):
      ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime

Colin Ian King (1):
      integrity: remove redundant initialization of variable ret

Lakshmi Ramasubramanian (2):
      integrity: Add errno field in audit message
      IMA: Add audit log for failure conditions

Maurizio Drocco (1):
      ima: extend boot_aggregate with kernel measurements

Mimi Zohar (1):
      Merge branch 'validate-policy-rules' into next-integrity

Tyler Hicks (14):
      ima: Have the LSM free its audit rule
      ima: Free the entire rule when deleting a list of rules
      ima: Free the entire rule if it fails to parse
      ima: Fail rule parsing when buffer hook functions have an invalid action
      ima: Fail rule parsing when the KEXEC_CMDLINE hook is combined with an invalid cond
      ima: Fail rule parsing when the KEY_CHECK hook is combined with an invalid cond
      ima: Fail rule parsing when appraise_flag=blacklist is unsupportable
      ima: Shallow copy the args_p member of ima_rule_entry.lsm elements
      ima: Use correct type for the args_p member of ima_rule_entry.lsm elements
      ima: Move comprehensive rule validation checks out of the token parser
      ima: Use the common function to detect LSM conditionals in a rule
      ima: Support additional conditionals in the KEXEC_CMDLINE hook function
      ima: Rename internal filter rule functions
      ima: AppArmor satisfies the audit rule requirements

 include/linux/ima.h                          |   4 +-
 kernel/kexec_file.c                          |   2 +-
 security/integrity/digsig_asymmetric.c       |   2 +-
 security/integrity/ima/Kconfig               |   4 +-
 security/integrity/ima/ima.h                 |  75 +++++----
 security/integrity/ima/ima_api.c             |   2 +-
 security/integrity/ima/ima_appraise.c        |   8 +-
 security/integrity/ima/ima_asymmetric_keys.c |   2 +-
 security/integrity/ima/ima_crypto.c          |  15 +-
 security/integrity/ima/ima_main.c            |  41 +++--
 security/integrity/ima/ima_modsig.c          |  20 ---
 security/integrity/ima/ima_policy.c          | 240 +++++++++++++++++++--------
 security/integrity/ima/ima_queue_keys.c      |   7 +-
 security/integrity/integrity.h               |  13 ++
 security/integrity/integrity_audit.c         |  11 +-
 15 files changed, 301 insertions(+), 145 deletions(-)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ