[GIT PULL] security subsystem updates for 4.7

From: James Morris
Date: Thu May 19 2016 - 00:06:54 EST


Please pull these updates for the 4.7 kernel.

Highlights:

1. A new LSM, "LoadPin", from Kees Cook is added, which allows forcing of
modules and firmware to be loaded from a specific device (this is from
ChromeOS, where the device as a whole is verified cryptographically via
dm-verity). This is disabled by default but can be configured to be
enabled by default (don't do this if you don't know what you're doing).

2. Keys: allow authentication data to be stored in an asymmetric key. Lots
of general fixes and updates.

3. SELinux: add restrictions for loading of kernel modules via
finit_module(). Distinguish non-init user namespace capability checks.
Apply execstack check on thread stacks.



The following changes since commit 9735a22799b9214d17d3c231fe377fc852f042e9:

Linux 4.6-rc2 (2016-04-03 09:09:40 -0500)

are available in the git repository at:

git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next

for you to fetch changes up to b937190c40de0f6f07f592042e3097b16c6b0130:

LSM: LoadPin: provide enablement CONFIG (2016-05-17 20:10:30 +1000)

----------------------------------------------------------------
Andreas Ziegler (1):
security: integrity: Remove select to deleted option PUBLIC_KEY_ALGO_RSA

David Howells (23):
X.509: Whitespace cleanup
KEYS: Allow authentication data to be stored in an asymmetric key
KEYS: Add identifier pointers to public_key_signature struct
X.509: Retain the key verification data
PKCS#7: Make the signature a pointer rather than embedding it
X.509: Extract signature digest and make self-signed cert checks earlier
X.509: Fix self-signed determination
KEYS: Generalise system_verify_data() to provide access to internal content
PKCS#7: Make trust determination dependent on contents of trust keyring
KEYS: Add a facility to restrict new links into a keyring
KEYS: Move x509_request_asymmetric_key() to asymmetric_type.c
KEYS: Generalise x509_request_asymmetric_key()
X.509: Use verify_signature() if we have a struct key * to use
X.509: Move the trust validation code out to its own file
KEYS: Make the system trusted keyring depend on the asymmetric key type
KEYS: Move the point of trust determination to __key_link()
KEYS: Remove KEY_FLAG_TRUSTED and KEY_ALLOC_TRUSTED
certs: Add a secondary system keyring that can be added to dynamically
IMA: Use the the system trusted keyrings instead of .ima_mok
KEYS: user_update should use copy of payload made during preparsing
Merge branch 'keys-misc' into keys-next
Merge branch 'keys-sig' into keys-next
Merge branch 'keys-trust' into keys-next

Dmitry Kasatkin (1):
vfs: forbid write access when reading a file into memory

James Morris (2):
Merge tag 'keys-next-20160505' of git://git.kernel.org/.../dhowells/linux-fs into next
Merge branch 'stable-4.7' of git://git.infradead.org/users/pcmoore/selinux into next

Janak Desai (1):
netlabel: fix a problem with netlbl_secattr_catmap_setrng()

Jeff Vander Stoep (1):
selinux: restrict kernel module loading

Kees Cook (7):
string_helpers: add kstrdup_quotable
string_helpers: add kstrdup_quotable_cmdline
string_helpers: add kstrdup_quotable_file
Yama: consolidate error reporting
LSM: LoadPin for kernel file loading restrictions
fs: fix over-zealous use of "const"
LSM: LoadPin: provide enablement CONFIG

Kirill Marinushkin (1):
Security: Keys: Big keys stored encrypted

Mat Martineau (1):
KEYS: Add KEYCTL_DH_COMPUTE command

Mickaël Salaün (1):
seccomp: Fix comment typo

Mimi Zohar (3):
fs: define a string representation of the kernel_read_file_id enumeration
ima: fix ima_inode_post_setattr
ima: add support for creating files using the mknodat syscall

Paolo Abeni (1):
security: drop the unused hook skb_owned_by

Paul Moore (6):
selinux: don't revalidate inodes in selinux_socket_getpeersec_dgram()
selinux: simply inode label states to INVALID and INITIALIZED
selinux: consolidate the ptrace parent lookup code
selinux: don't revalidate an inode's label when explicitly setting it
selinux: delay inode label lookup as long as possible
selinux: check ss_initialized before revalidating an inode label

Prarit Bhargava (1):
selinux: Change bool variable name to index.

Sasha Levin (1):
Yama: use atomic allocations when reporting

Stephen Smalley (2):
selinux: distinguish non-init user namespace capability checks
selinux: apply execstack check on thread stacks

Documentation/security/LoadPin.txt | 17 ++
Documentation/security/keys.txt | 52 ++++++
MAINTAINERS | 6 +
arch/x86/kernel/kexec-bzimage64.c | 18 +-
certs/Kconfig | 9 +
certs/system_keyring.c | 139 +++++++++++---
crypto/asymmetric_keys/Kconfig | 6 +-
crypto/asymmetric_keys/Makefile | 5 +-
crypto/asymmetric_keys/asymmetric_keys.h | 2 +
crypto/asymmetric_keys/asymmetric_type.c | 96 +++++++++-
crypto/asymmetric_keys/mscode_parser.c | 21 +--
crypto/asymmetric_keys/pkcs7_key_type.c | 72 +++-----
crypto/asymmetric_keys/pkcs7_parser.c | 59 +++---
crypto/asymmetric_keys/pkcs7_parser.h | 11 +-
crypto/asymmetric_keys/pkcs7_trust.c | 43 ++---
crypto/asymmetric_keys/pkcs7_verify.c | 107 +++++------
crypto/asymmetric_keys/public_key.c | 20 +-
crypto/asymmetric_keys/restrict.c | 108 +++++++++++
crypto/asymmetric_keys/signature.c | 18 ++
crypto/asymmetric_keys/verify_pefile.c | 40 +---
crypto/asymmetric_keys/verify_pefile.h | 5 +-
crypto/asymmetric_keys/x509_cert_parser.c | 52 +++---
crypto/asymmetric_keys/x509_parser.h | 12 +-
crypto/asymmetric_keys/x509_public_key.c | 297 +++++++++---------------------
fs/cifs/cifsacl.c | 2 +-
fs/exec.c | 29 ++-
fs/namei.c | 2 +
fs/nfs/nfs4idmap.c | 2 +-
include/crypto/pkcs7.h | 6 +-
include/crypto/public_key.h | 33 ++--
include/keys/asymmetric-subtype.h | 2 +-
include/keys/asymmetric-type.h | 13 +-
include/keys/system_keyring.h | 41 ++---
include/linux/fs.h | 31 +++-
include/linux/ima.h | 6 +
include/linux/key-type.h | 1 -
include/linux/key.h | 44 +++--
include/linux/lsm_hooks.h | 6 +-
include/linux/string_helpers.h | 6 +
include/linux/verification.h | 49 +++++
include/linux/verify_pefile.h | 22 ---
include/uapi/linux/keyctl.h | 10 +
kernel/module_signing.c | 7 +-
kernel/seccomp.c | 2 +-
lib/string_helpers.c | 92 +++++++++
net/dns_resolver/dns_key.c | 2 +-
net/netlabel/netlabel_kapi.c | 2 +-
net/rxrpc/ar-key.c | 4 +-
security/Kconfig | 1 +
security/Makefile | 2 +
security/integrity/Kconfig | 1 -
security/integrity/digsig.c | 15 +-
security/integrity/ima/Kconfig | 36 ++--
security/integrity/ima/Makefile | 2 +-
security/integrity/ima/ima_appraise.c | 7 +-
security/integrity/ima/ima_main.c | 25 ++-
security/integrity/ima/ima_mok.c | 23 +--
security/integrity/integrity.h | 1 +
security/keys/Kconfig | 15 ++
security/keys/Makefile | 1 +
security/keys/big_key.c | 198 ++++++++++++++++++--
security/keys/compat.c | 4 +
security/keys/dh.c | 160 ++++++++++++++++
security/keys/internal.h | 12 ++
security/keys/key.c | 42 ++++-
security/keys/keyctl.c | 5 +
security/keys/keyring.c | 46 ++++-
security/keys/persistent.c | 4 +-
security/keys/process_keys.c | 16 +-
security/keys/request_key.c | 4 +-
security/keys/request_key_auth.c | 2 +-
security/keys/user_defined.c | 42 ++---
security/loadpin/Kconfig | 19 ++
security/loadpin/Makefile | 1 +
security/loadpin/loadpin.c | 190 +++++++++++++++++++
security/security.c | 2 +-
security/selinux/hooks.c | 144 ++++++++++-----
security/selinux/include/classmap.h | 30 +--
security/selinux/include/conditional.h | 2 +-
security/selinux/include/objsec.h | 5 +-
security/selinux/ss/services.c | 6 +-
security/yama/yama_lsm.c | 31 +++-
82 files changed, 1916 insertions(+), 807 deletions(-)
create mode 100644 Documentation/security/LoadPin.txt
create mode 100644 crypto/asymmetric_keys/restrict.c
create mode 100644 include/linux/verification.h
delete mode 100644 include/linux/verify_pefile.h
create mode 100644 security/keys/dh.c
create mode 100644 security/loadpin/Kconfig
create mode 100644 security/loadpin/Makefile
create mode 100644 security/loadpin/loadpin.c