[GIT PULL] Security subsystem changes for 4.3
From: James Morris
Date: Mon Aug 31 2015 - 20:00:21 EST
Highlights:
o PKCS#7 support added to support signed kexec, also utilized for module
signing. See comments in 3f1e1bea.
** NOTE: this requires linking against the OpenSSL library, which must
be installed, e.g. the openssl-devel on Fedora **
o Smack: add IPv6 host labeling; ignore labels on kernel threads;
support smack labeling mounts which use binary mount data
o SELinux: add ioctl whitelisting (see
http://kernsec.org/files/lss2015/vanderstoep.pdf); fix mprotect
PROT_EXEC regression caused by mm change
o Seccomp: add ptrace options for suspend/resume
Please pull.
---
The following changes since commit e5aeced6bcec5a110e6dfcb78acc203dbe895b59:
Merge tag 'spi-v4.3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi (2015-08-31 15:55:49 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next
Casey Schaufler (3):
Smack: IPv6 host labeling
Smack: Three symbols that should be static
Smack - Fix build error with bringup unconfigured
David Howells (28):
selinux: Create a common helper to determine an inode label [ver #3]
ASN.1: Fix handling of CHOICE in ASN.1 compiler
ASN.1: Fix actions on CHOICE elements with IMPLICIT tags
ASN.1: Fix non-match detection failure on data overrun
ASN.1: Handle 'ANY OPTIONAL' in grammar
ASN.1: Add an ASN.1 compiler option to dump the element tree
ASN.1: Copy string names to tokens in ASN.1 compiler
X.509: Extract both parts of the AuthorityKeyIdentifier
X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier
PKCS#7: Allow detached data to be supplied for signature checking purposes
MODSIGN: Provide a utility to append a PKCS#7 signature to a module
MODSIGN: Use PKCS#7 messages as module signatures
system_keyring.c doesn't need to #include module-internal.h
MODSIGN: Extract the blob PKCS#7 signature verifier from module signing
MAINTAINERS: The keyrings mailing list has moved
PKCS#7: Check content type and versions
X.509: Change recorded SKID & AKID to not include Subject or Issuer
PKCS#7: Support CMS messages also [RFC5652]
sign-file: Generate CMS message as signature instead of PKCS#7
PKCS#7: Improve and export the X.509 ASN.1 time object decoder
KEYS: Add a name for PKEY_ID_PKCS7
PKCS#7: Appropriately restrict authenticated attributes and content type
sign-file: Document dependency on OpenSSL devel libraries
PKCS#7: Add MODULE_LICENSE() to test module
sign-file: Fix warning about BIO_reset() return value
Move certificate handling to its own directory
Documentation/Changes: Now need OpenSSL devel packages for module signing
PKCS#7: Add OIDs for sha224, sha284 and sha512 hash algos and use them
David Woodhouse (11):
modsign: Abort modules_install when signing fails
modsign: Allow password to be specified for signing key
modsign: Allow signing key to be PKCS#11
modsign: Allow external signing key to be specified
modsign: Extract signing cert from CONFIG_MODULE_SIG_KEY if needed
modsign: Use single PEM file for autogenerated key
modsign: Add explicit CONFIG_SYSTEM_TRUSTED_KEYS option
extract-cert: Cope with multiple X.509 certificates in a single file
modsign: Use extract-cert to process CONFIG_SYSTEM_TRUSTED_KEYS
modsign: Use if_changed rule for extracting cert from module signing key
modsign: Handle signing key in source tree
James Morris (7):
Merge tag 'seccomp-next' of git://git.kernel.org/.../kees/linux into next
Merge tag 'asn1-fixes-20150805' of git://git.kernel.org/.../dhowells/linux-fs into next
Merge branch 'smack-for-4.3' of https://github.com/cschaufler/smack-next into next
Merge tag 'modsign-pkcs7-20150812-3' of git://git.kernel.org/.../dhowells/linux-fs into next
Merge branch 'smack-for-4.3' of https://github.com/cschaufler/smack-next into next
Merge branch 'next' of git://git.infradead.org/users/pcmoore/selinux into next
Merge tag 'modsign-pkcs7-20150814' of git://git.kernel.org/.../dhowells/linux-fs into ra-next
Jeff Vander Stoep (2):
security: add ioctl specific auditing to lsm_audit
selinux: extended permissions for ioctls
Kees Cook (2):
seccomp: swap hard-coded zeros to defined name
Yama: remove needless CONFIG_SECURITY_YAMA_STACKED
Laurent Bigonville (1):
selinux: explicitly declare the role "base_r"
Luis R. Rodriguez (1):
sign-file: Add option to only create signature file
Paul Gortmaker (1):
scripts: add extract-cert and sign-file to .gitignore
Pranith Kumar (1):
seccomp: Replace smp_read_barrier_depends() with lockless_dereference()
Roman Kubiak (1):
Kernel threads excluded from smack checks
Stephen Smalley (2):
selinux: initialize sock security class to default value
selinux: Augment BUG_ON assertion for secclass_map.
Tycho Andersen (1):
seccomp: add ptrace options for suspend/resume
Vivek Trivedi (1):
smack: allow mount opts setting over filesystems with binary mount data
Waiman Long (1):
selinux: reduce locking overhead in inode_free_security()
kbuild test robot (1):
sysfs: fix simple_return.cocci warnings
.gitignore | 1 +
Documentation/Changes | 17 +-
Documentation/kbuild/kbuild.txt | 5 +
Documentation/module-signing.txt | 56 +++-
Documentation/security/Smack.txt | 27 ++-
Documentation/security/Yama.txt | 10 +-
MAINTAINERS | 21 +-
Makefile | 13 +-
arch/mips/configs/pistachio_defconfig | 1 -
arch/x86/kernel/kexec-bzimage64.c | 4 +-
certs/Kconfig | 42 +++
certs/Makefile | 94 ++++++
{kernel => certs}/system_certificates.S | 5 +-
{kernel => certs}/system_keyring.c | 53 +++-
crypto/Kconfig | 1 +
crypto/asymmetric_keys/Makefile | 8 +-
crypto/asymmetric_keys/asymmetric_type.c | 11 +
crypto/asymmetric_keys/mscode_parser.c | 9 +
crypto/asymmetric_keys/pkcs7.asn1 | 22 +-
crypto/asymmetric_keys/pkcs7_key_type.c | 17 +-
crypto/asymmetric_keys/pkcs7_parser.c | 277 +++++++++++++++-
crypto/asymmetric_keys/pkcs7_parser.h | 20 +-
crypto/asymmetric_keys/pkcs7_trust.c | 10 +-
crypto/asymmetric_keys/pkcs7_verify.c | 145 +++++++-
crypto/asymmetric_keys/public_key.c | 1 +
crypto/asymmetric_keys/verify_pefile.c | 7 +-
crypto/asymmetric_keys/x509_akid.asn1 | 35 ++
crypto/asymmetric_keys/x509_cert_parser.c | 231 +++++++++-----
crypto/asymmetric_keys/x509_parser.h | 12 +-
crypto/asymmetric_keys/x509_public_key.c | 95 ++++--
include/crypto/pkcs7.h | 13 +-
include/crypto/public_key.h | 18 +-
include/keys/system_keyring.h | 7 +
include/linux/asn1_ber_bytecode.h | 16 +-
include/linux/lsm_audit.h | 7 +
include/linux/lsm_hooks.h | 6 +-
include/linux/oid_registry.h | 7 +-
include/linux/ptrace.h | 1 +
include/linux/seccomp.h | 2 +-
include/linux/verify_pefile.h | 6 +-
include/uapi/linux/ptrace.h | 6 +-
init/Kconfig | 40 ++-
kernel/Makefile | 97 ------
kernel/module_signing.c | 213 ++-----------
kernel/ptrace.c | 13 +
kernel/seccomp.c | 17 +-
lib/asn1_decoder.c | 27 ++-
scripts/.gitignore | 2 +
scripts/Kbuild.include | 51 +++
scripts/Makefile | 4 +
scripts/Makefile.modinst | 2 +-
scripts/asn1_compiler.c | 248 +++++++++------
scripts/extract-cert.c | 166 ++++++++++
scripts/selinux/mdp/mdp.c | 1 +
scripts/sign-file | 421 ------------------------
scripts/sign-file.c | 260 +++++++++++++++
security/Kconfig | 5 -
security/lsm_audit.c | 15 +
security/security.c | 11 +-
security/selinux/avc.c | 418 +++++++++++++++++++++++-
security/selinux/hooks.c | 147 ++++++---
security/selinux/include/avc.h | 6 +
security/selinux/include/security.h | 32 ++-
security/selinux/ss/avtab.c | 104 +++++-
security/selinux/ss/avtab.h | 33 ++-
security/selinux/ss/conditional.c | 32 ++-
security/selinux/ss/conditional.h | 6 +-
security/selinux/ss/policydb.c | 5 +
security/selinux/ss/services.c | 213 +++++++++++--
security/selinux/ss/services.h | 6 +
security/smack/smack.h | 66 ++++-
security/smack/smack_access.c | 6 +
security/smack/smack_lsm.c | 511 ++++++++++++++++++++++-------
security/smack/smackfs.c | 436 ++++++++++++++++++++-----
security/yama/Kconfig | 9 +-
security/yama/yama_lsm.c | 32 +--
76 files changed, 3588 insertions(+), 1406 deletions(-)
create mode 100644 certs/Kconfig
create mode 100644 certs/Makefile
rename {kernel => certs}/system_certificates.S (80%)
rename {kernel => certs}/system_keyring.c (68%)
create mode 100644 crypto/asymmetric_keys/x509_akid.asn1
create mode 100644 scripts/extract-cert.c
delete mode 100755 scripts/sign-file
create mode 100755 scripts/sign-file.c
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/